This document introduces a new security notion called constrained chosen-ciphertext security (IND-CCCA) for key encapsulation mechanisms (KEMs). The document proves that any IND-CCCA secure KEM combined with an authenticated symmetric encryption scheme provides indistinguishability against chosen-ciphertext attacks (IND-CCA) secure hybrid encryption. This answers an open question from previous work. The document also presents new KEM constructions that achieve IND-CCCA security based on the decision Diffie-Hellman assumption and weaker n-Linear assumptions.
A Novel Method for Preventing Selective Jamming Attacks in Wireless NetworksIJMER
The document proposes three novel methods to prevent selective jamming attacks in wireless networks:
1. Strong Hiding Commitment Scheme (SHCS) which uses asymmetric cryptography to commit a sender to a value while keeping it hidden.
2. Cryptographic Puzzle Hiding Scheme which generates puzzles that force attackers to spend time solving before obtaining secret keys.
3. Hiding based on All-Or-Nothing Transformation which partitions messages into blocks that are meaningless individually, preventing selective jamming until all blocks are received.
Using NP Problems to Share Keys in Secret-Key Cryptographyiosrjce
Public key cryptography has now become an important means for providing confidentiality by its use
of key distribution, in which users can do private communication with the help of encryption keys. It also
provides digital signatures which allow users to sign keys to verify their identities. But public key cryptography
has its own shortcoming regarding to high cost in keys distribution and excessive computation in encoding and
decoding it.
Whereas private key can omit all above problems but only if we can find a way to share private key
confidentially.
This research presents an innovation, which can be our future approach, using technology so-called NP
problems, of sending or sharing keys to the receiver without any need of the third party. This will provide an
open idea where sender and receiver can share any key for any number of times for encrypting data
confidentially that also helpful in overcoming problem of brute force attack
A New Key Agreement Protocol Using BDP and CSP in Non Commutative GroupsEswar Publications
The available key agreement schemes using number theoretic, elliptic curves etc are common for cryptanalysts and associated security is vulnerable. This vulnerability further increases when we talk about modern efficient computers. So there is a need of providing new mechanism for key agreement with different properties so intruders get surprised and communication scenarios becomes stronger than before. In this paper, we propose a key agreement protocol which works in a non commutative group. We prove that our protocol meets the desired security attributes under the assumption that Conjugacy Search Problem and Decomposition Problem are hard in non commutative groups.
a performance analysis of generalized key scheme block cipher (gksbc) algorit...INFOGAIN PUBLICATION
Information is a commodity. Information has economic value and production of it incurs cost. Securing the information is posing a considerable challenge. The cryptographic technology plays a leading role in securing the owners right on produced information. A continuous development of new encryption systems are necessitated with the advancement in security and efficiency needs. Cryptanalytic studies have demonstrated the superior capability of recently developed Generalized Key Scheme Block Cipher (GKSBC) algorithm in terms of stability, execution time and encryption quality compared to standard security algorithms. This paper proposes to evaluate the enduring capacity of GKSBC to various cryptanalytic attacks viz., Brute – Force Attack, Differential Cryptanalysis, Integral Cryptanalysis, Linear Cryptanalysis and Rectangle attack. None of the traditional attacks are designed to decrypt GKSBC encryption as the use of key scheme is different in it and therefore robust to the conventional cryptanalytic attacks.
Circuit ciphertext policy attribute-based hybrid encryption with verifiablecloudtechnologies42
Circuit Ciphertext-policy Attribute-based Hybrid Encryption with Verifiable an IEEE projects, here Cloud Technologies giving to information on Circuit Ciphertext-policy Attribute-based Hybrid Encryption with Verifiable
This document proposes a multiple server scheme for securing fingerprint templates using fuzzy vaults and commutative encryption. The scheme uses an encryption server to encrypt templates with a user-specific key before storing them. A matching server performs enrollment and matching on the encrypted templates. This prevents either server from accessing raw fingerprint data. The client generates temporary encryption keys for each session to further protect the template during transmission between servers. Evaluating the scheme on a fingerprint database, it achieves a zero false accept rate of 12.6%, comparable to other fuzzy vault methods.
Lightweight Cryptography for Distributed PKI Based MANETSIJCNCJournal
This document proposes a lightweight cryptography solution for secure communication in mobile ad hoc networks (MANETs). It describes creating a distributed public key infrastructure (PKI) using Shamir's secret sharing to decentralize the certificate authority role among MANET nodes. Each node holds a share of the private key. It then proposes using Tiny Encryption Algorithm (TEA), an efficient symmetric-key cipher, along with elliptic curve Diffie-Hellman key exchange to establish secure communication between nodes with limited resources. The system initializes by having founding MANET nodes act as dealers to distribute secret shares. Nodes then use Diffie-Hellman to independently derive a secret key to encrypt communications.
A NOVEL SECURE COSINE SIMILARITY COMPUTATION SCHEME WITH MALICIOUS ADVERSARIESIJNSA Journal
Similarity coefficients play an important role in many aspects. Recently, several schemes were proposed, but these schemes aimed to compute the similarity coefficients of binary data. In this paper, a novel scheme
which can compute the coefficients of integer is proposed. To the best knowledge of us, this is the first scheme which canesist malicious adversaries attack.
A Novel Method for Preventing Selective Jamming Attacks in Wireless NetworksIJMER
The document proposes three novel methods to prevent selective jamming attacks in wireless networks:
1. Strong Hiding Commitment Scheme (SHCS) which uses asymmetric cryptography to commit a sender to a value while keeping it hidden.
2. Cryptographic Puzzle Hiding Scheme which generates puzzles that force attackers to spend time solving before obtaining secret keys.
3. Hiding based on All-Or-Nothing Transformation which partitions messages into blocks that are meaningless individually, preventing selective jamming until all blocks are received.
Using NP Problems to Share Keys in Secret-Key Cryptographyiosrjce
Public key cryptography has now become an important means for providing confidentiality by its use
of key distribution, in which users can do private communication with the help of encryption keys. It also
provides digital signatures which allow users to sign keys to verify their identities. But public key cryptography
has its own shortcoming regarding to high cost in keys distribution and excessive computation in encoding and
decoding it.
Whereas private key can omit all above problems but only if we can find a way to share private key
confidentially.
This research presents an innovation, which can be our future approach, using technology so-called NP
problems, of sending or sharing keys to the receiver without any need of the third party. This will provide an
open idea where sender and receiver can share any key for any number of times for encrypting data
confidentially that also helpful in overcoming problem of brute force attack
A New Key Agreement Protocol Using BDP and CSP in Non Commutative GroupsEswar Publications
The available key agreement schemes using number theoretic, elliptic curves etc are common for cryptanalysts and associated security is vulnerable. This vulnerability further increases when we talk about modern efficient computers. So there is a need of providing new mechanism for key agreement with different properties so intruders get surprised and communication scenarios becomes stronger than before. In this paper, we propose a key agreement protocol which works in a non commutative group. We prove that our protocol meets the desired security attributes under the assumption that Conjugacy Search Problem and Decomposition Problem are hard in non commutative groups.
a performance analysis of generalized key scheme block cipher (gksbc) algorit...INFOGAIN PUBLICATION
Information is a commodity. Information has economic value and production of it incurs cost. Securing the information is posing a considerable challenge. The cryptographic technology plays a leading role in securing the owners right on produced information. A continuous development of new encryption systems are necessitated with the advancement in security and efficiency needs. Cryptanalytic studies have demonstrated the superior capability of recently developed Generalized Key Scheme Block Cipher (GKSBC) algorithm in terms of stability, execution time and encryption quality compared to standard security algorithms. This paper proposes to evaluate the enduring capacity of GKSBC to various cryptanalytic attacks viz., Brute – Force Attack, Differential Cryptanalysis, Integral Cryptanalysis, Linear Cryptanalysis and Rectangle attack. None of the traditional attacks are designed to decrypt GKSBC encryption as the use of key scheme is different in it and therefore robust to the conventional cryptanalytic attacks.
Circuit ciphertext policy attribute-based hybrid encryption with verifiablecloudtechnologies42
Circuit Ciphertext-policy Attribute-based Hybrid Encryption with Verifiable an IEEE projects, here Cloud Technologies giving to information on Circuit Ciphertext-policy Attribute-based Hybrid Encryption with Verifiable
This document proposes a multiple server scheme for securing fingerprint templates using fuzzy vaults and commutative encryption. The scheme uses an encryption server to encrypt templates with a user-specific key before storing them. A matching server performs enrollment and matching on the encrypted templates. This prevents either server from accessing raw fingerprint data. The client generates temporary encryption keys for each session to further protect the template during transmission between servers. Evaluating the scheme on a fingerprint database, it achieves a zero false accept rate of 12.6%, comparable to other fuzzy vault methods.
Lightweight Cryptography for Distributed PKI Based MANETSIJCNCJournal
This document proposes a lightweight cryptography solution for secure communication in mobile ad hoc networks (MANETs). It describes creating a distributed public key infrastructure (PKI) using Shamir's secret sharing to decentralize the certificate authority role among MANET nodes. Each node holds a share of the private key. It then proposes using Tiny Encryption Algorithm (TEA), an efficient symmetric-key cipher, along with elliptic curve Diffie-Hellman key exchange to establish secure communication between nodes with limited resources. The system initializes by having founding MANET nodes act as dealers to distribute secret shares. Nodes then use Diffie-Hellman to independently derive a secret key to encrypt communications.
A NOVEL SECURE COSINE SIMILARITY COMPUTATION SCHEME WITH MALICIOUS ADVERSARIESIJNSA Journal
Similarity coefficients play an important role in many aspects. Recently, several schemes were proposed, but these schemes aimed to compute the similarity coefficients of binary data. In this paper, a novel scheme
which can compute the coefficients of integer is proposed. To the best knowledge of us, this is the first scheme which canesist malicious adversaries attack.
The document discusses the RSA cryptosystem. It begins by explaining that RSA is an important public-key cryptosystem based on the difficulty of factoring large integers. It then provides examples of how RSA works, including choosing prime numbers p and q to generate the public and private keys, and using modular exponentiation to encrypt and decrypt messages. The document also discusses the importance of integer factorization for the security of RSA, and considerations for designing a secure RSA system, such as choosing sufficiently large prime numbers.
Modern-day computer security relies heavily on cryptography as a means to protect the data that we have
become increasingly reliant on. The main research in computer security domain is how to enhance the
speed of RSA algorithm. The computing capability of Graphic Processing Unit as a co-processor of the
CPU can leverage massive-parallelism. This paper presents a novel algorithm for calculating modulo
value that can process large power of numbers which otherwise are not supported by built-in data types.
First the traditional algorithm is studied. Secondly, the parallelized RSA algorithm is designed using
CUDA framework. Thirdly, the designed algorithm is realized for small prime numbers and large prime
number . As a result the main fundamental problem of RSA algorithm such as speed and use of poor or
small prime numbers that has led to significant security holes, despite the RSA algorithm's mathematical
soundness can be alleviated by this algorithm.
This document discusses message authentication and encryption. It explains that message authentication aims to protect integrity, validate originator identity, and enable non-repudiation. Message encryption provides authentication if symmetric encryption is used, while public-key encryption requires signing. Message authentication codes (MACs) and hash functions are also examined. The MD5 algorithm is summarized, which takes an input of arbitrary length and produces a 128-bit fingerprint.
This document summarizes several methods for generalizing quantum secret sharing (QSS) schemes by introducing classical shares to play a complementary role to quantum shares. It describes three ways of doing so: compression, inflation, and twin thresholding. Compression allows a QSS scheme to be implemented with fewer quantum players by supplementing with classical shares. Inflation enlarges a QSS scheme by adding only classical shares and players. Twin thresholding introduces separate thresholds for classical and quantum shares based on information dilution. The document provides examples and explanations of how to implement these generalized QSS schemes.
This document presents research on compressing encrypted data. The researchers investigate reversing the traditional order of compressing data before encrypting it. They show that by using principles of coding with side information, it is possible to first encrypt data and then compress it without loss of optimal compression efficiency or security. They prove the theoretical feasibility of this approach and describe a system to implement compression of encrypted data. Computer simulations demonstrate the performance of the proposed system. The researchers identify connections to distributed source coding theory and demonstrate that in some scenarios, reversing the order of encryption and compression does not compromise effectiveness or security.
Circuit Ciphertext-policy Attribute-based Hybrid Encryption with Verifiable D...Maregowda R Byalachinta
In the cloud, for achieving access control and keeping data confidential, the data owners could adopt attribute-based encryption to encrypt the stored data. Users with limited computing power are however more likely to delegate the mask of the decryption task to the cloud servers to reduce the computing cost. As a result, attribute-based encryption with delegation emerges. Still, there are caveats and questions remaining in the previous relevant works. For instance, during the delegation, the cloud servers could tamper or replace the delegated ciphertext and respond a forged computing result with malicious intent. They may also cheat the eligible users by responding them that they are ineligible for the purpose of cost saving. Furthermore, during the encryption, the access policies may not be flexible enough as well. Since policy for general circuits enables to achieve the strongest form of access control, a construction for realizing circuit ciphertext-policy attribute-based hybrid encryption with verifiable delegation has been considered in our work. In such a system, combined with verifiable computation and encrypt-then-mac mechanism, the data confidentiality, the fine-grained access control and the correctness of the delegated computing results are well guaranteed at the same time. Besides, our scheme achieves security against chosen-plaintext attacks under the k-multilinear Decisional Diffie-Hellman assumption. Moreover, an extensive simulation campaign confirms the feasibility and efficiency of the proposed solution.
1) The document discusses developing a simple and secure way to send encrypted messages over the internet using any encryption algorithm.
2) The project aims to prevent hackers from accessing messages by encrypting them during transmission using a popular mono-alphabetic encryption algorithm.
3) The encryption and decryption will be done between a sender and receiver connected over a local area network, with the algorithms coded in Java.
Circuit ciphertext policy attribute-based hybrid encryption with verifiable d...Shakas Technologies
In the cloud, for achieving access control and keeping data confidential, the data owners could adopt attribute-based encryption to encrypt the stored data. Users with limited computing power are however more likely to delegate the mask of the decryption task to the cloud servers to reduce the computing cost.
Exploiting tls to disrupt privacy of web application's trafficSandipan Biswas
In this work, we analyze privacy and security aspects of encryption modes, padding schemes
and order of padding of messages in TLS during encrypted communication between client and
web-application on the server. We show that using padding schemes to pad all packets to
hide message sizes during communication without considering underlying encryption modes and
padding methodology is not safe .
The document proposes a novel secure scheme for computing the cosine similarity between two integer vectors with malicious adversaries. The scheme uses distributed ElGamal encryption and zero-knowledge proofs to privately compute the cosine coefficient between two parties' vector inputs while preserving privacy. Security analysis shows the scheme can resist attacks from malicious adversaries by simulating the ideal functionality using the encryption scheme and zero-knowledge proofs.
This document provides an overview of cryptography and its applications. It discusses the history of cryptography beginning in ancient Egypt. It defines basic cryptography terminology like plaintext, ciphertext, cipher, key, encryption, decryption, cryptography, and cryptanalysis. It describes classical ciphers like the Caesar cipher and substitution ciphers. It also discusses cryptanalysis techniques, transposition ciphers, modern symmetric ciphers, public key cryptography including RSA, key distribution methods, and hybrid encryption.
Cryptography is the process of securing communication and information. It involves encrypting plaintext into ciphertext using algorithms and decrypting the ciphertext back to plaintext. The main goals of cryptography are confidentiality, integrity, non-repudiation, authentication, access control, and availability. There are three main types of cryptographic algorithms - secret key cryptography which uses the same key for encryption and decryption, public key cryptography which uses different keys for encryption and decryption, and hash functions which are one-way functions to encrypt information irreversibly. Common cryptographic hash functions include MD5 and SHA-1 which are used to verify integrity of files and messages.
Data Security with Colors using RSA technique that integrates the RGB Color model with the well-known public key cryptographic algorithm RSA (Rivest, Shamir and Adleman). This model provides both confidentiality and authentication to the data sent across the network. RSA algorithm uses public key and private key to encrypt and decrypt the data and thus provides confidentiality. But the public key is known to everyone and so anyone can encrypt the data and send the message. Hence authentication of users is needed. In this technique we use RGB color model to provide authentication. Every user will have a unique color assigned to him. A sender must know the receiver’s color to send a message. The color value is encrypted using a key which is used as a password while decrypting the message. To decrypt the message, the receiver must provide his color values. If the decrypted color values and his color values are equal then the sender and receiver are send to be authentic. The data encryption and decryption follows RSA procedure. Thus both authentication and confidentiality are provided for the data.
ENHANCED SECURE ALGORITHM FOR MESSAGE COMMUNICATIONIJNSA Journal
This paper puts forward a safe mechanism of data transmission to tackle the security problem of information which is transmitted in Internet. The encryption standards such as DES (Data Encryption Standard), AES (Advanced Encryption Standard) and EES (Escrowed Encryption Standard) are widely used to solve the problem of communication over an insecure channel. With advanced technologies in computer hardware and software, these standards seem not to be as secure and fast as one would like. In
this paper we propose a encryption technique which provides security to both the message and the secret key achieving confidentiality and authentication. The Symmetric algorithm used has two advantages over traditional schemes. First, the encryption and decryption procedures are much simpler, and consequently, much faster. Second, the security level is higher due to the inherent poly-alphabetic nature of the substitution mapping method used here, together with the translation and transposition operations performed in the algorithm. Asymmetric algorithm RSA is worldwide known for its high security. In this paper a detailed report of the process is presented and analysis is done comparing our proposed technique with familiar techniques
The researcher focuses on studying fundamental tradeoffs between cache-obliviousness, cache-optimality, and parallelism of algorithms and data structures. Their work combines theory and experiments on topics like stencil computation, dynamic programming, and numerical algorithms. Recent work showed that optimal time and cache complexity can be achieved simultaneously for problems like longest common subsequence via a "cache-oblivious wavefront" scheduling technique. Open questions remain about applying this approach more broadly and understanding tradeoffs between time and cache complexity.
AN EFFICIENT PROXY SIGNCRYPTION SCHEME BASED ON THE DISCRETE LOGARITHM PROBLEMZac Darcy
This document proposes a new efficient proxy signcryption scheme based on the discrete logarithm problem (DLP). The scheme allows an original signer to delegate signing power to a proxy signer, who can then sign messages on behalf of the original signer. The scheme consists of setup, proxy-credential-generation, proxy-signcryption-generation, and proxy-unsigncryption-verification phases. It achieves security requirements like verifiability, unforgeability, identifiability, and prevention of misuse through use of public/private keys and the intractability of computing discrete logarithms. The scheme is proven correct and its security is analyzed.
Cryptography involves encrypting messages to make them secure and immune to attacks. There are traditional ciphers like substitution and transposition ciphers that encrypt text by shifting letters or rearranging them. Modern algorithms like DES use symmetric keys and RSA uses public/private key pairs to encrypt and decrypt messages. Public key cryptography uses different public and private keys, allowing secure communication without pre-sharing keys. Digital signatures authenticate messages using the sender's private key and can be verified by anyone using their public key.
A Modified approach for implementation of an efficient padding scheme in a di...dannyijwest
In order to provide secure transaction of documents over an insecure channel, Digital Signature Systems are made
use of and Hash function is an eternal component of it. The requirement of devising an improved approach to
reduce the impact of attacks in Cryptanalysis formed a driving force behind the emergence of changes in padding
and parsing schemes used from time to time. However, it has been found that these schemes have not proved to be
completely as efficient as this critical application demands. Therefore, there is always a scope for their
improvement. The paper is organized into parts; in the first ones we give an overview of hash functions and a brief
presentation of its use in Digital Signature. However the rest of parts are consecrated for our proposed
improvement for padding structure and comparative results drawn from correlation coefficients obtained, finishing
the paper by a conclusion and future extension of this work.
Why Should You Pay Attention To Quantum Computing?Milos Dunjic
Quantum computing, is an exciting and rather unusual field of informatics. Recently I had privilege to participate on The Quantum Panel, as part of the Payments Canada conference, where I shared some of my view with wider audience.
Secured Authorized Data Using Hybrid Encryption in Cloud ComputingIJERA Editor
In today’s world to provide a security to a public network like a cloud network is become a toughest task however more likely to reduce the cost at the time of providing security using cryptographic technique to delegate the mask of the decryption task to the cloud servers to reduce the computing cost. As a result, attributebased encryption with delegation emerges. Still, there are caveats and questions remaining in the previous relevant works. For to solution to all problems the cloud servers could tamper or replace the delegated cipher text and respond a forged computing result with malicious intent. They may also cheat the eligible users by responding them that they are ineligible for the purpose of cost saving. Furthermore, during the encryption, the access policies may not be flexible enough as well. Since policy for general circuits enables to achieve the strongest form of access control, a construction for realizing circuit cipher text-policy attribute-based hybrid encryption with verifiable delegation has been considered in our work. In such a system, combined with verifiable computation and encrypt-then-mac mechanism, the data confidentiality, the fine-grained access control and the correctness of the delegated computing results are well guaranteed at the same time. Besides, our scheme achieves security against chosen-plaintext attacks under the k-multilinear Decisional Diffie-Hellman assumption. Moreover, an extensive simulation campaign confirms the feasibility and efficiency of the proposed solution. There are two complementary forms of attribute-based encryption. One is key-policy attribute-based encryption (KP-ABE) [8], [9], [10], and the other is cipher text-policy attribute-based encryption. In a KP-ABE system, the decision of access policy is made by the key distributor instead of the enciphered, which limits the practicability and usability for the system in practical applicationsthe access policy for general circuits could be regarded as the strongest form of the policy expression that circuits can express any program of fixed running time
The document proposes an efficient generalized signcryption scheme based on elliptic curve cryptography (ECC) that avoids computationally heavy bilinear pairing operations. It first identifies security issues in a previous tripartite signcryption scheme and proposes corrections. The corrected scheme is extended to support multiple receivers. It then further extends this signcryption scheme to a generalized signcryption scheme that provides either confidentiality, authentication, or a combination of both for messages with multiple receivers. The proposed schemes use only ECC operations and satisfy security properties like forward secrecy and public verification more efficiently than other existing schemes. An application of the generalized signcryption scheme for key management in wireless sensor networks is also discussed.
This document proposes a medical image encryption technique that uses multiple chaotic maps. It utilizes the logistic map, Arnold cat map, and Baker's map within a triple data encryption standard (3DES) scheme. The technique encrypts and decrypts medical images efficiently and securely, making it suitable for transmission over insecure networks. It was tested using the transmission control protocol (TCP)/internet protocol (IP) to transfer encrypted images between a server and client. Experimental results found the method resistant to attacks while maintaining encryption performance.
The document discusses the RSA cryptosystem. It begins by explaining that RSA is an important public-key cryptosystem based on the difficulty of factoring large integers. It then provides examples of how RSA works, including choosing prime numbers p and q to generate the public and private keys, and using modular exponentiation to encrypt and decrypt messages. The document also discusses the importance of integer factorization for the security of RSA, and considerations for designing a secure RSA system, such as choosing sufficiently large prime numbers.
Modern-day computer security relies heavily on cryptography as a means to protect the data that we have
become increasingly reliant on. The main research in computer security domain is how to enhance the
speed of RSA algorithm. The computing capability of Graphic Processing Unit as a co-processor of the
CPU can leverage massive-parallelism. This paper presents a novel algorithm for calculating modulo
value that can process large power of numbers which otherwise are not supported by built-in data types.
First the traditional algorithm is studied. Secondly, the parallelized RSA algorithm is designed using
CUDA framework. Thirdly, the designed algorithm is realized for small prime numbers and large prime
number . As a result the main fundamental problem of RSA algorithm such as speed and use of poor or
small prime numbers that has led to significant security holes, despite the RSA algorithm's mathematical
soundness can be alleviated by this algorithm.
This document discusses message authentication and encryption. It explains that message authentication aims to protect integrity, validate originator identity, and enable non-repudiation. Message encryption provides authentication if symmetric encryption is used, while public-key encryption requires signing. Message authentication codes (MACs) and hash functions are also examined. The MD5 algorithm is summarized, which takes an input of arbitrary length and produces a 128-bit fingerprint.
This document summarizes several methods for generalizing quantum secret sharing (QSS) schemes by introducing classical shares to play a complementary role to quantum shares. It describes three ways of doing so: compression, inflation, and twin thresholding. Compression allows a QSS scheme to be implemented with fewer quantum players by supplementing with classical shares. Inflation enlarges a QSS scheme by adding only classical shares and players. Twin thresholding introduces separate thresholds for classical and quantum shares based on information dilution. The document provides examples and explanations of how to implement these generalized QSS schemes.
This document presents research on compressing encrypted data. The researchers investigate reversing the traditional order of compressing data before encrypting it. They show that by using principles of coding with side information, it is possible to first encrypt data and then compress it without loss of optimal compression efficiency or security. They prove the theoretical feasibility of this approach and describe a system to implement compression of encrypted data. Computer simulations demonstrate the performance of the proposed system. The researchers identify connections to distributed source coding theory and demonstrate that in some scenarios, reversing the order of encryption and compression does not compromise effectiveness or security.
Circuit Ciphertext-policy Attribute-based Hybrid Encryption with Verifiable D...Maregowda R Byalachinta
In the cloud, for achieving access control and keeping data confidential, the data owners could adopt attribute-based encryption to encrypt the stored data. Users with limited computing power are however more likely to delegate the mask of the decryption task to the cloud servers to reduce the computing cost. As a result, attribute-based encryption with delegation emerges. Still, there are caveats and questions remaining in the previous relevant works. For instance, during the delegation, the cloud servers could tamper or replace the delegated ciphertext and respond a forged computing result with malicious intent. They may also cheat the eligible users by responding them that they are ineligible for the purpose of cost saving. Furthermore, during the encryption, the access policies may not be flexible enough as well. Since policy for general circuits enables to achieve the strongest form of access control, a construction for realizing circuit ciphertext-policy attribute-based hybrid encryption with verifiable delegation has been considered in our work. In such a system, combined with verifiable computation and encrypt-then-mac mechanism, the data confidentiality, the fine-grained access control and the correctness of the delegated computing results are well guaranteed at the same time. Besides, our scheme achieves security against chosen-plaintext attacks under the k-multilinear Decisional Diffie-Hellman assumption. Moreover, an extensive simulation campaign confirms the feasibility and efficiency of the proposed solution.
1) The document discusses developing a simple and secure way to send encrypted messages over the internet using any encryption algorithm.
2) The project aims to prevent hackers from accessing messages by encrypting them during transmission using a popular mono-alphabetic encryption algorithm.
3) The encryption and decryption will be done between a sender and receiver connected over a local area network, with the algorithms coded in Java.
Circuit ciphertext policy attribute-based hybrid encryption with verifiable d...Shakas Technologies
In the cloud, for achieving access control and keeping data confidential, the data owners could adopt attribute-based encryption to encrypt the stored data. Users with limited computing power are however more likely to delegate the mask of the decryption task to the cloud servers to reduce the computing cost.
Exploiting tls to disrupt privacy of web application's trafficSandipan Biswas
In this work, we analyze privacy and security aspects of encryption modes, padding schemes
and order of padding of messages in TLS during encrypted communication between client and
web-application on the server. We show that using padding schemes to pad all packets to
hide message sizes during communication without considering underlying encryption modes and
padding methodology is not safe .
The document proposes a novel secure scheme for computing the cosine similarity between two integer vectors with malicious adversaries. The scheme uses distributed ElGamal encryption and zero-knowledge proofs to privately compute the cosine coefficient between two parties' vector inputs while preserving privacy. Security analysis shows the scheme can resist attacks from malicious adversaries by simulating the ideal functionality using the encryption scheme and zero-knowledge proofs.
This document provides an overview of cryptography and its applications. It discusses the history of cryptography beginning in ancient Egypt. It defines basic cryptography terminology like plaintext, ciphertext, cipher, key, encryption, decryption, cryptography, and cryptanalysis. It describes classical ciphers like the Caesar cipher and substitution ciphers. It also discusses cryptanalysis techniques, transposition ciphers, modern symmetric ciphers, public key cryptography including RSA, key distribution methods, and hybrid encryption.
Cryptography is the process of securing communication and information. It involves encrypting plaintext into ciphertext using algorithms and decrypting the ciphertext back to plaintext. The main goals of cryptography are confidentiality, integrity, non-repudiation, authentication, access control, and availability. There are three main types of cryptographic algorithms - secret key cryptography which uses the same key for encryption and decryption, public key cryptography which uses different keys for encryption and decryption, and hash functions which are one-way functions to encrypt information irreversibly. Common cryptographic hash functions include MD5 and SHA-1 which are used to verify integrity of files and messages.
Data Security with Colors using RSA technique that integrates the RGB Color model with the well-known public key cryptographic algorithm RSA (Rivest, Shamir and Adleman). This model provides both confidentiality and authentication to the data sent across the network. RSA algorithm uses public key and private key to encrypt and decrypt the data and thus provides confidentiality. But the public key is known to everyone and so anyone can encrypt the data and send the message. Hence authentication of users is needed. In this technique we use RGB color model to provide authentication. Every user will have a unique color assigned to him. A sender must know the receiver’s color to send a message. The color value is encrypted using a key which is used as a password while decrypting the message. To decrypt the message, the receiver must provide his color values. If the decrypted color values and his color values are equal then the sender and receiver are send to be authentic. The data encryption and decryption follows RSA procedure. Thus both authentication and confidentiality are provided for the data.
ENHANCED SECURE ALGORITHM FOR MESSAGE COMMUNICATIONIJNSA Journal
This paper puts forward a safe mechanism of data transmission to tackle the security problem of information which is transmitted in Internet. The encryption standards such as DES (Data Encryption Standard), AES (Advanced Encryption Standard) and EES (Escrowed Encryption Standard) are widely used to solve the problem of communication over an insecure channel. With advanced technologies in computer hardware and software, these standards seem not to be as secure and fast as one would like. In
this paper we propose a encryption technique which provides security to both the message and the secret key achieving confidentiality and authentication. The Symmetric algorithm used has two advantages over traditional schemes. First, the encryption and decryption procedures are much simpler, and consequently, much faster. Second, the security level is higher due to the inherent poly-alphabetic nature of the substitution mapping method used here, together with the translation and transposition operations performed in the algorithm. Asymmetric algorithm RSA is worldwide known for its high security. In this paper a detailed report of the process is presented and analysis is done comparing our proposed technique with familiar techniques
The researcher focuses on studying fundamental tradeoffs between cache-obliviousness, cache-optimality, and parallelism of algorithms and data structures. Their work combines theory and experiments on topics like stencil computation, dynamic programming, and numerical algorithms. Recent work showed that optimal time and cache complexity can be achieved simultaneously for problems like longest common subsequence via a "cache-oblivious wavefront" scheduling technique. Open questions remain about applying this approach more broadly and understanding tradeoffs between time and cache complexity.
AN EFFICIENT PROXY SIGNCRYPTION SCHEME BASED ON THE DISCRETE LOGARITHM PROBLEMZac Darcy
This document proposes a new efficient proxy signcryption scheme based on the discrete logarithm problem (DLP). The scheme allows an original signer to delegate signing power to a proxy signer, who can then sign messages on behalf of the original signer. The scheme consists of setup, proxy-credential-generation, proxy-signcryption-generation, and proxy-unsigncryption-verification phases. It achieves security requirements like verifiability, unforgeability, identifiability, and prevention of misuse through use of public/private keys and the intractability of computing discrete logarithms. The scheme is proven correct and its security is analyzed.
Cryptography involves encrypting messages to make them secure and immune to attacks. There are traditional ciphers like substitution and transposition ciphers that encrypt text by shifting letters or rearranging them. Modern algorithms like DES use symmetric keys and RSA uses public/private key pairs to encrypt and decrypt messages. Public key cryptography uses different public and private keys, allowing secure communication without pre-sharing keys. Digital signatures authenticate messages using the sender's private key and can be verified by anyone using their public key.
A Modified approach for implementation of an efficient padding scheme in a di...dannyijwest
In order to provide secure transaction of documents over an insecure channel, Digital Signature Systems are made
use of and Hash function is an eternal component of it. The requirement of devising an improved approach to
reduce the impact of attacks in Cryptanalysis formed a driving force behind the emergence of changes in padding
and parsing schemes used from time to time. However, it has been found that these schemes have not proved to be
completely as efficient as this critical application demands. Therefore, there is always a scope for their
improvement. The paper is organized into parts; in the first ones we give an overview of hash functions and a brief
presentation of its use in Digital Signature. However the rest of parts are consecrated for our proposed
improvement for padding structure and comparative results drawn from correlation coefficients obtained, finishing
the paper by a conclusion and future extension of this work.
Why Should You Pay Attention To Quantum Computing?Milos Dunjic
Quantum computing, is an exciting and rather unusual field of informatics. Recently I had privilege to participate on The Quantum Panel, as part of the Payments Canada conference, where I shared some of my view with wider audience.
Secured Authorized Data Using Hybrid Encryption in Cloud ComputingIJERA Editor
In today’s world to provide a security to a public network like a cloud network is become a toughest task however more likely to reduce the cost at the time of providing security using cryptographic technique to delegate the mask of the decryption task to the cloud servers to reduce the computing cost. As a result, attributebased encryption with delegation emerges. Still, there are caveats and questions remaining in the previous relevant works. For to solution to all problems the cloud servers could tamper or replace the delegated cipher text and respond a forged computing result with malicious intent. They may also cheat the eligible users by responding them that they are ineligible for the purpose of cost saving. Furthermore, during the encryption, the access policies may not be flexible enough as well. Since policy for general circuits enables to achieve the strongest form of access control, a construction for realizing circuit cipher text-policy attribute-based hybrid encryption with verifiable delegation has been considered in our work. In such a system, combined with verifiable computation and encrypt-then-mac mechanism, the data confidentiality, the fine-grained access control and the correctness of the delegated computing results are well guaranteed at the same time. Besides, our scheme achieves security against chosen-plaintext attacks under the k-multilinear Decisional Diffie-Hellman assumption. Moreover, an extensive simulation campaign confirms the feasibility and efficiency of the proposed solution. There are two complementary forms of attribute-based encryption. One is key-policy attribute-based encryption (KP-ABE) [8], [9], [10], and the other is cipher text-policy attribute-based encryption. In a KP-ABE system, the decision of access policy is made by the key distributor instead of the enciphered, which limits the practicability and usability for the system in practical applicationsthe access policy for general circuits could be regarded as the strongest form of the policy expression that circuits can express any program of fixed running time
The document proposes an efficient generalized signcryption scheme based on elliptic curve cryptography (ECC) that avoids computationally heavy bilinear pairing operations. It first identifies security issues in a previous tripartite signcryption scheme and proposes corrections. The corrected scheme is extended to support multiple receivers. It then further extends this signcryption scheme to a generalized signcryption scheme that provides either confidentiality, authentication, or a combination of both for messages with multiple receivers. The proposed schemes use only ECC operations and satisfy security properties like forward secrecy and public verification more efficiently than other existing schemes. An application of the generalized signcryption scheme for key management in wireless sensor networks is also discussed.
This document proposes a medical image encryption technique that uses multiple chaotic maps. It utilizes the logistic map, Arnold cat map, and Baker's map within a triple data encryption standard (3DES) scheme. The technique encrypts and decrypts medical images efficiently and securely, making it suitable for transmission over insecure networks. It was tested using the transmission control protocol (TCP)/internet protocol (IP) to transfer encrypted images between a server and client. Experimental results found the method resistant to attacks while maintaining encryption performance.
This document proposes a hybrid encryption-decryption algorithm combining AES and DES. It implements the algorithm in VHDL using a Modelsim platform. The hybrid algorithm integrates AES into each iteration of DES's Feistel network, using AES operations like substitution and key addition. This increases computational complexity compared to the individual standards. The VHDL implementation includes modules for AES encryption/decryption and the hybrid algorithm. Simulations validate the code works correctly. Future work could increase iterations to suit different security levels or implement a 128-bit AES variant. The hybrid approach strengthens AES security against attacks.
On the Usage of Chained Codes in CryptographyCSCJournals
This document summarizes a research paper on using randomized chained linear codes for digital signatures. The summary is:
1) Randomized chained linear codes are proposed to address attacks on previous signature schemes that used regular chained codes. Random vectors are concatenated to the generator matrix of a chained code to create randomized chained codes.
2) A digital signature scheme is presented that uses randomized chained codes. The private key consists of the generator matrix and randomization matrices. The public key is the randomized parity check matrix. Signatures are created using the chain code decoding algorithm.
3) Security analysis shows the scheme is secure if the code length is over 1350 bits, preventing an attacker from determining the private key from the public information
A Modified Technique For Performing Data Encryption & Data DecryptionIJERA Editor
In this age of universal electronic connectivity of viruses and hackers of electronic eavesdropping and electronic fraud, there is indeed needed to store the information securely. This, in turn, led to a heightened awareness to protect data and resources from disclosure, to guarantee the authenticity of data and messages and to protect systems from network-based attacks. Information security via encryption decryption techniques is a very popular research area for many people’s over the years. This paper elaborates the basic concept of the cryptography, specially public and private cryptography. It also contains a review of some popular encryption decryption algorithms. A modified method is also proposed. This method is fast in comparison to the existing methods.
Searchable Encryption remain to be one of the most widely required functionality of cloud storage. In this paper, we provide a security analysis of the popular schemes including the study of their implementation and security definitions. We cover Order Preserving Symmetric Encryption, Order Revealing Encryption and Partial Order Preserving Encoding.
This paper proposes a new compressive
sensing based method for simultaneous data
compression and convergent encryption for secure
deduplication to efficiently use for the cloud storage. It
performs signal acquisition, its compression and
encryption at the same time. The measurement matrix
is generated using a hash key and is exploited for
encryption. It seems that it is very suitable for the cloud
model considering both the data security and the
storage efficiently.
This document covers topics in network security including:
- It outlines the OSI security architecture and describes security services like authentication, access control, and data confidentiality.
- It discusses security mechanisms like encipherment and digital signatures. Common security attacks are also defined, including passive attacks, active attacks, masquerade, replay, and denial of service.
- Symmetric encryption techniques are introduced, including the Caesar cipher, monoalphabetic ciphers, Playfair cipher, and Hill cipher. Key concepts in classical cryptography are explained.
This document discusses using threshold cryptography and maximum distance separable (MDS) codes for key management in mobile ad hoc networks (MANETs). It begins with an introduction to MANETs and the need for distributed key management approaches. It then provides background on threshold cryptography and MDS codes. The document proposes using threshold cryptography combined with MDS codes to create a distributed cooperative key management system for MANETs that generates and distributes encryption keys among network nodes in a secure and fault-tolerant manner.
This document discusses public key cryptography and the RSA encryption algorithm. It provides an overview of public key cryptography, how the RSA algorithm works using a public and private key pair, and some of its applications. The RSA algorithm is based on the difficulty of factoring large prime numbers and allows for secure communication without needing to share secret keys. Some advantages are convenience and enabling message authentication and non-repudiation using digital signatures, while disadvantages include slower performance and the need to authenticate public keys.
KEY-AGGREGATE SEARCHABLE ENCRYPTION (KASE) FOR GROUP DATA SHARING VIA CLOUD ...Nexgen Technology
bulk ieee projects in pondicherry,ieee projects in pondicherry,final year ieee projects in pondicherry
Nexgen Technology Address:
Nexgen Technology
No :66,4th cross,Venkata nagar,
Near SBI ATM,
Puducherry.
Email Id: praveen@nexgenproject.com.
www.nexgenproject.com
Mobile: 9751442511,9791938249
Telephone: 0413-2211159.
NEXGEN TECHNOLOGY as an efficient Software Training Center located at Pondicherry with IT Training on IEEE Projects in Android,IEEE IT B.Tech Student Projects, Android Projects Training with Placements Pondicherry, IEEE projects in pondicherry, final IEEE Projects in Pondicherry , MCA, BTech, BCA Projects in Pondicherry, Bulk IEEE PROJECTS IN Pondicherry.So far we have reached almost all engineering colleges located in Pondicherry and around 90km
Circuit ciphertext policy attribute-based hybrid encryption with verifiablePvrtechnologies Nellore
The document proposes a scheme for circuit ciphertext-policy attribute-based hybrid encryption with verifiable delegation in cloud computing. It aims to ensure data confidentiality, fine-grained access control, and verifiability of delegated computation results. The scheme uses a combination of ciphertext-policy attribute-based encryption, symmetric encryption, and verifiable computation. It is proven secure based on computational assumptions and simulations show it is practical for cloud computing applications.
NEW ALGORITHM FOR WIRELESS NETWORK COMMUNICATION SECURITYijcisjournal
This paper evaluates the security of wireless communication network based on the fuzzy logic in Mat lab. A new algorithm is proposed and evaluated which is the hybrid algorithm. We highlight the valuable assets in designing of wireless network communication system based on network simulator (NS2), which is crucial to protect security of the systems. Block cipher algorithms are evaluated by using fuzzy logics and a hybrid
algorithm is proposed. Both algorithms are evaluated in term of the security level. Logic (AND) is used in the rules of modelling and Mamdani Style is used for the evaluations
1) Prepare and submit a summary of the contents of the paper y.docxmonicafrancis71118
1) Prepare and submit a summary of the contents of the paper you have chosen in
the first part of this project.
2) The submission should be written in IEEE Proceedings Manuscripts style: two
columns, single-spaced. You may find a template file at URL:
http://www.ieee.org/web/publications/authors/transjnl/index.htm1. It should not be
more than 3 pages long (including references and figures) and should follow
Term Research Project Report Guidelines organization laid out in the course
outline
3) In your report pay special attention to the “Conclusion” and/or
“Recommendation” sections of your paper, as your ability to independently
analyze and critique the paper will form a major part of the evaluation. Ensure
that you have at least one or two paragraphs that gives your independent opinion
on the contents of the paper.
4) Copying the sentences in your chosen paper verbatim into your summary is
plagiarism. Ensure that you write your summary using your own words.
5) Your submission will be judged based on the following criteria:
Format/Organization
Content
Clarity
Technical Depth
Originality
6) Prepare a one slide brochure, summarizing the main points of the paper, what it
does, the applications, importance.
7) Your final submission should include your summary report, the slide
brochure and the original paper that you summarized.
On the Fog of RSA Key Lengths
Verifying Public Key Cryptography Strength Recommendations
Mikko Kiviharju
Information Technology Division
Finnish Defence Research Agency
Riihimaki, Finland
[email protected]
Abstract—Finite-field cryptography plays a major role in
current cyberspace infrastructure. Most notable examples
include the RSA public key cryptosystem based on the assumed
difficulty of finding factorization of large integers in general; and
Diffie-Hellman (DH) key exchange, based on the hardness of
finding discrete logarithms in finite fields. In order to use strong
enough parameters for cryptography intended to protect
classified information, the hardness of these problems needs to be
measured and associated with a security level (e.g.
RESTRICTED and SECRET). This is, however, a multi-step,
nation-dependent and usually classified process, with no unified
understanding on how certain parameters should be measured.
In this paper we investigate the public key length
recommendations for RSA and DH, their background and
reasoning. Based on this research, we suggest an updated method
for the measurement of sufficient RSA and DH key sizes, and
benchmark it against the public Finnish security level
recommendation.
Keywords— RSA, Diffie-Hellman, Security levels
I. INTRODUCTION
Finite-field cryptography plays a major role in current
cyberspace infrastructure. Most notable examples include the
RSA public key cryptosystem based on the assumed difficulty
of finding factorization of large integers in general, and Diffie-
Hellman (DH) key exchange, .
Creation of smart spaces and scaling of devices to achieve miniaturization in pervasive computing environments has put forth a question on the degree of security of such devices. Security being a unique challenge in such environments, solution demands scalability, access control, heterogeneity, trust. Most of the existing cryptographic solutions widely in use rely on the hardness of factorization and number theory
problems. With the increase in cryptanalytic attacks these schemes will soon become insecure. We need an alternate security mechanism which is as hard as the existing number theoretic approaches. In this work, we discuss the aspects of Lattice based cryptography as a new dimension of providing security whose strength lies in the hardness of lattice problems. We discuss about a cryptosystem whose security relies on high lattice dimension.
A Crypto-System with Embedded Error Control for Secure and Reliable Communica...CSCJournals
In this paper we propose a novel Crypto-System with Embedded Error Control (CSEEC). The system supports data security and reliability using forward error correction codes (FEC). Security is provided through the use of a new symmetric encryption algorithm, while reliability is provided through the support of FEC codes. The system also supports joint security and reliability in which encryption and encoding are performed in a single step. The system aims at speeding up the encryption and encoding operations and reduces the hardware dedicated to each of these operations.In addition, the proposed system allows users to achieve secure and reliable communication in which they can alternate between a priority onsecurity and reliabilityand scale their choice to the desired level in order to attain communication quality and fulfill application needs. The system targets resource constrained nodes such as remote sensor nodes operating in noisy environments.
RMAC – A LIGHTWEIGHT AUTHENTICATION PROTOCOL FOR HIGHLY CONSTRAINED IOT DEVICESijcisjournal
Nowadays, highly constrained IoT devices have earned an important place in our everyday lives. These devices mainly comprise RFID (Radio-Frequency Identification) or WSN (Wireless Sensor Networks) components. Their adoption is growing in areas where data security or privacy or both must be guaranteed. Therefore, it is necessary to develop appropriate security solutions for these systems. Many papers have proposed solutions for encryption or authentication. But it turns out that sometimes the proposal has security flaw or is ill-suited for the constrained IoT devices (which has very limited processing and storage capacities).In this paper, we introduce a new authentication protocol inspired by Mirror-Mac (MM) which is a generic construction of authentication protocol proposed by Mol et al. Our proposal named RMAC is well suited for highly constrained IoT devices since its implementation uses simple and lightweight algorithms. We also prove that RMAC is at least as secure as the MM protocol and thus secure against man-in-the-middle attacks.
Efficient authentication for mobile and pervasive computingIGEEKS TECHNOLOGIES
This document proposes two novel techniques for authenticating short encrypted messages for mobile and pervasive applications. Existing message authentication codes (MACs) are not designed to utilize encryption functionality and are inefficient for short messages. The proposed techniques are more efficient by using the encryption process to generate authentication information, rather than applying encryption and a MAC separately. The first technique appends a short random string during encryption for authentication. The second improves on this by leveraging properties of block ciphers. Analysis shows the techniques provide security while maintaining efficiency needed for mobile applications.
Batteries -Introduction – Types of Batteries – discharging and charging of battery - characteristics of battery –battery rating- various tests on battery- – Primary battery: silver button cell- Secondary battery :Ni-Cd battery-modern battery: lithium ion battery-maintenance of batteries-choices of batteries for electric vehicle applications.
Fuel Cells: Introduction- importance and classification of fuel cells - description, principle, components, applications of fuel cells: H2-O2 fuel cell, alkaline fuel cell, molten carbonate fuel cell and direct methanol fuel cells.
Embedded machine learning-based road conditions and driving behavior monitoringIJECEIAES
Car accident rates have increased in recent years, resulting in losses in human lives, properties, and other financial costs. An embedded machine learning-based system is developed to address this critical issue. The system can monitor road conditions, detect driving patterns, and identify aggressive driving behaviors. The system is based on neural networks trained on a comprehensive dataset of driving events, driving styles, and road conditions. The system effectively detects potential risks and helps mitigate the frequency and impact of accidents. The primary goal is to ensure the safety of drivers and vehicles. Collecting data involved gathering information on three key road events: normal street and normal drive, speed bumps, circular yellow speed bumps, and three aggressive driving actions: sudden start, sudden stop, and sudden entry. The gathered data is processed and analyzed using a machine learning system designed for limited power and memory devices. The developed system resulted in 91.9% accuracy, 93.6% precision, and 92% recall. The achieved inference time on an Arduino Nano 33 BLE Sense with a 32-bit CPU running at 64 MHz is 34 ms and requires 2.6 kB peak RAM and 139.9 kB program flash memory, making it suitable for resource-constrained embedded systems.
Introduction- e - waste – definition - sources of e-waste– hazardous substances in e-waste - effects of e-waste on environment and human health- need for e-waste management– e-waste handling rules - waste minimization techniques for managing e-waste – recycling of e-waste - disposal treatment methods of e- waste – mechanism of extraction of precious metal from leaching solution-global Scenario of E-waste – E-waste in India- case studies.
Using recycled concrete aggregates (RCA) for pavements is crucial to achieving sustainability. Implementing RCA for new pavement can minimize carbon footprint, conserve natural resources, reduce harmful emissions, and lower life cycle costs. Compared to natural aggregate (NA), RCA pavement has fewer comprehensive studies and sustainability assessments.
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...IJECEIAES
Medical image analysis has witnessed significant advancements with deep learning techniques. In the domain of brain tumor segmentation, the ability to
precisely delineate tumor boundaries from magnetic resonance imaging (MRI)
scans holds profound implications for diagnosis. This study presents an ensemble convolutional neural network (CNN) with transfer learning, integrating
the state-of-the-art Deeplabv3+ architecture with the ResNet18 backbone. The
model is rigorously trained and evaluated, exhibiting remarkable performance
metrics, including an impressive global accuracy of 99.286%, a high-class accuracy of 82.191%, a mean intersection over union (IoU) of 79.900%, a weighted
IoU of 98.620%, and a Boundary F1 (BF) score of 83.303%. Notably, a detailed comparative analysis with existing methods showcases the superiority of
our proposed model. These findings underscore the model’s competence in precise brain tumor localization, underscoring its potential to revolutionize medical
image analysis and enhance healthcare outcomes. This research paves the way
for future exploration and optimization of advanced CNN models in medical
imaging, emphasizing addressing false positives and resource efficiency.
A SYSTEMATIC RISK ASSESSMENT APPROACH FOR SECURING THE SMART IRRIGATION SYSTEMSIJNSA Journal
The smart irrigation system represents an innovative approach to optimize water usage in agricultural and landscaping practices. The integration of cutting-edge technologies, including sensors, actuators, and data analysis, empowers this system to provide accurate monitoring and control of irrigation processes by leveraging real-time environmental conditions. The main objective of a smart irrigation system is to optimize water efficiency, minimize expenses, and foster the adoption of sustainable water management methods. This paper conducts a systematic risk assessment by exploring the key components/assets and their functionalities in the smart irrigation system. The crucial role of sensors in gathering data on soil moisture, weather patterns, and plant well-being is emphasized in this system. These sensors enable intelligent decision-making in irrigation scheduling and water distribution, leading to enhanced water efficiency and sustainable water management practices. Actuators enable automated control of irrigation devices, ensuring precise and targeted water delivery to plants. Additionally, the paper addresses the potential threat and vulnerabilities associated with smart irrigation systems. It discusses limitations of the system, such as power constraints and computational capabilities, and calculates the potential security risks. The paper suggests possible risk treatment methods for effective secure system operation. In conclusion, the paper emphasizes the significant benefits of implementing smart irrigation systems, including improved water conservation, increased crop yield, and reduced environmental impact. Additionally, based on the security analysis conducted, the paper recommends the implementation of countermeasures and security approaches to address vulnerabilities and ensure the integrity and reliability of the system. By incorporating these measures, smart irrigation technology can revolutionize water management practices in agriculture, promoting sustainability, resource efficiency, and safeguarding against potential security threats.
ACEP Magazine edition 4th launched on 05.06.2024Rahul
This document provides information about the third edition of the magazine "Sthapatya" published by the Association of Civil Engineers (Practicing) Aurangabad. It includes messages from current and past presidents of ACEP, memories and photos from past ACEP events, information on life time achievement awards given by ACEP, and a technical article on concrete maintenance, repairs and strengthening. The document highlights activities of ACEP and provides a technical educational article for members.
Using recycled concrete aggregates (RCA) for pavements is crucial to achieving sustainability. Implementing RCA for new pavement can minimize carbon footprint, conserve natural resources, reduce harmful emissions, and lower life cycle costs. Compared to natural aggregate (NA), RCA pavement has fewer comprehensive studies and sustainability assessments.
Literature Review Basics and Understanding Reference Management.pptxDr Ramhari Poudyal
Three-day training on academic research focuses on analytical tools at United Technical College, supported by the University Grant Commission, Nepal. 24-26 May 2024
1. A preliminary version of this paper appears in Advances in Cryptology – CRYPTO ’07, Lecture
Notes in Computer Science Vol. 4622, A. Menezes ed., Springer-Verlag, 2007. This is the full
version.
Secure Hybrid Encryption from Weakened Key Encapsulation
Dennis Hofheinz Eike Kiltz
CWI Amsterdam
The Netherlands
{hofheinz,kiltz}@cwi.nl
Abstract
We put forward a new paradigm for building hybrid encryption schemes from constrained
chosen-ciphertext secure (CCCA) key-encapsulation mechanisms (KEMs) plus authenticated
symmetric encryption. Constrained chosen-ciphertext security is a new security notion for
KEMs that we propose. CCCA has less demanding security requirements than standard
chosen-ciphertext (CCA) security (since it requires the adversary to have a certain plaintext-
knowledge when making a decapsulation query) yet we can prove that CCCA is sufficient
for secure hybrid encryption.
Our notion is not only useful to express the Kurosawa-Desmedt public-key encryption
scheme and its generalizations to hash-proof systems in an abstract KEM/DEM security
framework. It also has a very constructive appeal, which we demonstrate with a new en-
cryption scheme whose security relies on a class of intractability assumptions that we show (in
the generic group model) strictly weaker than the Decision Diffie-Hellman (DDH) assump-
tion. This appears to be the first practical public-key encryption scheme in the literature
from an algebraic assumption strictly weaker than DDH.
Keywords: Chosen-ciphertext security, weak security assumptions, hybrid encryption
1 Introduction
One of the main fields of interest in cryptography is the design and analysis of encryption
schemes in the public-key setting (PKE schemes) that are secure against a very strong type of
attacks — indistinguishability against chosen-ciphertext attacks (IND-CCA1) [30, 15]. In this
work, we are interested in practical schemes with proofs of security under reasonable security
assumptions (without relying on heuristics such as the random oracle model) and in general
methods for constructing such schemes.
The first practical IND-CCA secure PKE scheme without random oracles was proposed
in a seminal paper by Cramer and Shoup [12, 14]. Their construction was later generalized
to hash proof systems [13]. In [36, 14] Cramer and Shoup also give a hybrid variant that
encrypts messages of arbitrary length. The idea is to conceptually separate the key-encapsulation
(KEM) part from the symmetric (DEM) part. Generally, this hybrid approach greatly improved
1
In what follows IND-CCA always denotes the strong form of IND-CCA2 security.
1
2. practicality of encryption schemes. A folklore composition theorem (formalized in [14]) shows
that if both KEM and DEM are CCA-secure then the hybrid encryption is CCA-secure. Common
wisdom was that this sufficient condition was also necessary. However, at CRYPTO 2004,
Kurosawa and Desmedt challenged this common wisdom by presenting a hybrid encryption
scheme that demonstrates that a weaker security condition on the KEM may suffice for full
CCA-secure hybrid encryption. Compared to the original Cramer-Shoup scheme, the scheme by
Kurosawa and Desmedt improved efficiency and ciphertext expansion by replacing some of its
algebraic components with information theoretically secure symmetric primitives. More recently,
the KEM part of their scheme was indeed shown to be not CCA secure [18].
One natural open problem from [24] is if there exists a weaker yet natural security condition
on the KEM such that, in combination with sufficiently strong symmetric encryption, chosen-
ciphertext secure hybrid encryption can be guaranteed.
Extending the work of Cramer and Shoup [13], it was demonstrated in [24, 2, 17] that a
variant of hash-proof systems (HPS) can be combined with symmetric encryption and a message
authentication code (MAC) to obtain hybrid encryption. If the hash-proof system is universal2,
then the encryption scheme is chosen-ciphertext secure. However, the Kurosawa-Desmedt hybrid
scheme could not be rigorously explained in this general HPS framework since the underlying
hash-proof system is not universal2. (Roughly, this is since universal2 is a statistical property
whereas the Kurosawa-Desmedt system contains a computational component, namely a target
collision resistant (TCR) hash function.) In [24] (and [13]) only less efficient “hash-free variants”
of their schemes could be explained through hash proof systems; security of all efficient TCR-
based schemes had to be proved separately.
Surprisingly, almost all practical standard-model encryption schemes [12, 14, 24, 2, 11, 10,
22, 23] are based on the difficulty of Decision Diffie-Hellman (DDH) or stronger assumptions.
This is contrasted by the existence of many natural groups in which the DDH assumption is
known to be wrong; examples include pairing-groups and certain non prime-order groups like
Z∗
p. This often overlooked fact may turn into a serious problem in case DDH turns out to be
wrong in all cryptographically interesting groups. In particular, [19] give evidence that groups
with easy DDH problem, but hard computational Diffie-Hellman problem exist. [19] interpret
this as an argument to rely on weaker assumptions than DDH.
1.1 Our contributions
A new KEM/DEM composition theorem. We put forward the security notion of indis-
tinguishability against Constrained chosen-ciphertext attacks (IND-CCCA) for KEMs which is
stronger than IND-CPA (CPA stands for chosen-plaintext attacks) yet strictly weaker than IND-
CCA. Intuitively, CCCA is separated from CCA security by only allowing an adversary to make
a decapsulation query if it has sufficient “implicit knowledge” about the plaintext key to be
decapsulated (hence the name “Constrained chosen-ciphertext security”).2
As our main technical contribution we formalize the above notion and prove a composi-
tion theorem that shows that any IND-CCCA secure KEM combined with any authenticated
(symmetric) encryption scheme yields IND-CCA secure hybrid encryption. This gives a pos-
itive answer to the open question from [24] mentioned before. Authenticated encryption is a
quite general symmetric primitive and examples include “encrypt-then-mac” schemes (based on
computationally secure primitives), and also more efficient single-pass schemes (see, e.g., [31]).
2
This is reminiscent to the notion of “plaintext awareness” for public-key encryption [6] where it is infeasible
for an adversary to come up with a valid ciphertext without being aware of the corresponding plaintext. Our
definition is weaker in the sense that it only requires the adversary to have implicit knowledge on the plaintext.
2
3. Constrained chosen-ciphertext secure KEMs formalize a new design paradigm for efficient
hybrid encryption. To guarantee chosen-ciphertext security for hybrid encryption schemes it is
sufficient to verify a natural security condition on the key encapsulation part. We assess the
constructive appeal of this framework by demonstrating that the original Kurosawa-Desmedt
scheme [24], along with its variants [2, 29] and all hash-proof systems based schemes [13, 24],
can be thoroughly explained through it. We furthermore present a new IND-CCCA secure KEM
from the DDH assumption and show how to build a class of practical KEMs from progressively
weaker assumptions than DDH.
Constrained chosen-ciphertext secure KEM from DDH. We propose a new KEM
which is IND-CCCA secure under the DDH assumption. Although it relies on different proof
techniques (it is not based on hash proof systems), syntactically it is reminiscent to the one by
Kurosawa and Desmedt and can in fact be viewed as its dual (in the sense that certain parts
from the ciphertext and the symmetric key are swapped in our scheme). Even though it is
not much more efficient than the scheme by Kurosawa and Desmedt, we still consider it to be
interesting since it constitutes the first efficient DDH-based encryption scheme that is not based
on hash proof systems.
Constrained chosen-ciphertext secure KEM from n-Linear. Building on [9, 21] we
introduce a new class of purely algebraic intractability assumptions, the n-Linear assumptions,
where n ≥ 1 is a parameter. They are such that the DDH assumption equals the 1-Linear
assumption, the Linear assumption [9] equals the 2-Linear assumption, and the n-Linear as-
sumptions become strictly weaker as the parameter n grows. More precisely, 1-Linear = DDH,
and n-Linear implies n + 1-Linear, but (in the generic group model [35]) n + 1-Linear is still
hard relative to an n-Linear oracle. In fact, for n ≥ 2 the n-Linear assumption does not seem
to be invalid in any obvious sense even in the groups from [19], in which the DDH problem
is easy, and the computational Diffie-Hellman problem is supposedly hard. We generalize the
KD scheme and its dual to a class of parametrized KEMs and prove their IND-CCCA security
assuming n-Linear. These appear to be the first practical encryption schemes in the literature
from a purely algebraic assumption which is strictly weaker than DDH.
Computational Hash-Proof Systems. We propose a purely computational variant of hash-
proof systems. Generalizing [13, 24], we prove that computational hash-proof systems directly
imply IND-CCCA secure KEMs. Hence, in combination with authenticated encryption, they
yield efficient IND-CCA secure hybrid encryption. The Kurosawa-Desmedt scheme fits this
framework, i.e. the underlying HPS is computational. This gives the first full explanation of
the Kurosawa-Desmedt scheme in terms of HPS. As a generalization we provide computational
hash-proof systems from the n-Linear assumptions hence explaining IND-CCCA security of our
class of KEMs from the n-Linear assumptions.
1.2 Discussion and related work
In [1] (which is the full version of [2]), Abe et al. address the question from [24] about the
existence of a natural weaker security condition for KEMs. They propose the notion of LCCA
secure KEMs with respect to the predicate Pmac and prove it sufficient to obtain, in combination
with a MAC, IND-CCA secure tag-KEMs (and hence IND-CCA secure hybrid encryption).
Though syntactically similar to ours, their notion mingles security of the KEM with the MAC
part of the symmetric encryption scheme. The conceptual difference in our notion is that
we give a general security definition for KEMs that is completely independent of any particular
symmetric primitive. We think that this is more natural and more closely follows the spirit of the
3
4. KEM/DEM approach [14], where (for good reason) KEM and DEM are viewed as independent
components.
Independent from this work Shacham [34] also proposes a family of hybrid encryption schemes
from the n-Linear assumptions. His schemes can be viewed as a (slightly less efficient) Cramer-
Shoup variant of our schemes from Section 5.2.
The 2-Linear assumption was introduced by Boneh, Boyen, and Shacham [9] and was later
used in gap-groups to build an IND-CCA secure KEM [22]. For n > 2, Kiltz [21] introduced
the class of gap n-Linear assumptions and (generalizing [22]) built a class of IND-CCA secure
KEMs from it. Compared to n-Linear, in the latter gap-assumptions an adversary gets access to
a DDH oracle which makes (for example) the gap 2-Linear assumption incomparable to DDH.
In contrast, our motivation is to build schemes from an assumption weaker than DDH.
2 Preliminaries
2.1 Notation
If x is a string, then |x| denotes its length, while if S is a set then |S| denotes its size. If k ∈ N
then 1k denotes the string of k ones. If S is a set then s
$
← S denotes the operation of picking
an element s of S uniformly at random. We write A(x, y, . . .) to indicate that A is an algorithm
with inputs x, y, . . . and by z
$
← A(x, y, . . .) we denote the operation of running A with inputs
(x, y, . . .) and letting z be the output. We write AO1,O2,...(x, y, . . .) to indicate that A is an
algorithm with inputs x, y, . . . and access to oracles O1, O2, . . . and by z
$
← AO1,O2,...(x, y, . . .)
we denote the operation of running A with inputs (x, y, . . .) and access to oracles O1, O2, . . .,
and letting z be the output.
2.2 Public-Key Encryption
A triple PKE = (PKE.kg, PKE.Enc, PKE.Dec) is a public-key encryption (PKE) scheme, if
PKE.kg and PKE.Enc are probabilistic PTA, and PKE.Dec is a deterministic polynomial-time
algorithm. For consistency, we require that for all k ∈ N, all messages M, it must hold that
Pr[PKE.Dec(sk, PKE.Enc(pk, M)) = M] is overwhelming in k, where the probability is taken
over the above randomized algorithms and (pk, sk)
$
← PKE.kg(1k).
The security we require for PKE is IND-CCA security [30, 15]. To an adversary A = (A1, A2)
we associate the following experiment Expcca
PKE,A(k).
Experiment Expcca
PKE,A(k)
(pk, sk)
$
← PKE.kg(1k)
(M0, M1, St1)
$
← A
PKE.Dec(sk,·)
1 (pk) s.t. |M0| = |M1|
b
$
← {0, 1} ; C∗
pke
$
← PKE.Enc(pk, Mb)
b
$
← A
PKE.Dec(sk,·)
2 (C∗
pke, St1)
If b = b return 1 else return 0
The adversary A2 is restricted not to query PKE.Dec(sk, ·) with C∗
pke. We define the advantage
of A in the experiment as
Advcca
PKE,A(k) = Pr[Expcca
PKE,A(k) = 1] −
1
2
.
4
5. PKE scheme PKE is said to be indistinguishable against chosen-ciphertext attacks (IND-CCA
secure in short) if the advantage function Advcca
PKE,A(k) is a negligible function in k for all
adversaries A = (A1, A2) with PTA A1, A2.
For integers k, t, Q we also define
Advcca
PKE,t,Q(k) = max
A
Advcca
PKE,A(k),
where the maximum is over all A that fulfill tA ≤ t and QA ≤ Q.
2.3 Key Encapsulation Mechanisms
A key-encapsulation mechanism KEM = (KEM.Kg, KEM.Enc, KEM.Dec) with key-space K(k)
consists of three polynomial-time algorithms (PTAs). Via (pk, sk)
$
← KEM.Kg(1k ) the ran-
domized key-generation algorithm produces public/secret keys for security parameter k ∈ N;
via (K, C)
$
← KEM.Enc(pk) the randomized encapsulation algorithm creates a uniformly dis-
tributed symmetric key K ∈ K(k) together with a ciphertext C; via K ← KEM.Dec(sk, C)
the possessor of secret key sk decrypts ciphertext C to get back a key K which is an element
in K or a special reject symbol ⊥. For consistency, we require that for all k ∈ N, and all
(K, C)
$
← KEM.Enc(pk) we have Pr [ KEM.Dec(sk, C) = K ] = 1, where the probability is taken
over the choice of (pk, sk)
$
← KEM.Kg(1k ), and the coins of all the algorithms in the expression
above. Here we only consider only KEMs that produce perfectly uniformly distributed keys (i.e.,
we require that for all public keys pk that can be output by KEM.Kg, the first component of
KEM.Enc(pk) has uniform distribution).3
The common requirement for a KEM is indistinguishability against chosen-ciphertext attacks
(IND-CCA) [14] where an adversary is allowed to adaptively query a decapsulation oracle with
ciphertexts to obtain the corresponding key. We will not give the formal definition of IND-
CCA for KEMs. Instead we refer the reader to Section 3 where we introduce a new, weaker
security notion for KEMs that is sufficient for our goal of constructing IND-CCA secure hybrid
encryption.
2.4 Authenticated Encryption
An authenticated symmetric encryption (AE) scheme AE = (AE.Enc, AE.Dec) is specified by its
encryption algorithm AE.Enc (encrypting M ∈ MsgSp(k) with keys K ∈ K(k)) and decryption
algorithm AE.Dec (returning M ∈ MsgSp(k) or ⊥). Here we restrict ourselves to deterministic
PTAs AE.Enc and AE.Dec. The AE scheme needs to provide privacy (indistinguishability against
one-time attacks) and authenticity (ciphertext authenticity against one-time attacks). This is
simulataneously captured (similar to the more-time attack case [32]) by defining the ae-ot-
advantage of an adversary Bae
Advae-ot
AE,Bae
(k) = Pr[K
$
← K(k) ; b
$
← {0, 1} ; b
$
← BLoRb(·,·),DoRb(·)
ae (1k
) : b = b ] − 1/2 .
Here, LoRb(M0, M1) returns ψ ← AE.Enc(K, Mb), and Bae is allowed only one query to this left-
or-right encryption oracle (one-time attack), with a pair of equal-length messages. Furthermore,
the decrypt-or-reject oracle DoR1(ψ) returns M ← AE.Dec(K, ψ) and DoR0(ψ) always returns
3
This requirement is met by all popular KEMs and makes our reduction in Theorem 3.1 tighter. However,
we can show Theorem 3.1 also without this assumption, and derive that the keys are computationally close to
uniform from our upcoming KEM security assumption. This comes at the price of a less tight security reduction
in Theorem 3.1.
5
6. ⊥ (reject), Bae is allowed only one query to this decrypt-or-reject oracle which must be different
from the output of the left-or-right oracle.
We say that AE is a one-time secure authenticated encryption scheme (AE-OT secure) if
the advantage function Advae-ot
AE,Bae
(k) is negliglible for all PTA Bae. Again, for integers k, t,
Advae-ot
AE,t (k) = maxBae Advae-ot
AE,Bae
(k), where the maximum is over all Bae that fulfill tBae ≤ t.
3 Hybrid encryption from Constrained CCA secure KEMs
3.1 Constrained Chosen-Ciphertext Security for KEMs
The common requirement for a KEM is security against chosen-ciphertext attacks [14] where an
adversary is allowed to adaptively query a decapsulation oracle with ciphertexts to obtain the
corresponding key. We relax this notion to contrained chosen-ciphertext security. Intuitively,
we only allow the adversary to make a decapsulation query if it already has some “a priori
knowledge” about the decapsulated key. This partial knowledge about the key is modeled im-
plicitly by letting the adversary additionally provide an efficiently computable Boolean predicate
pred : K → {0, 1}. If pred(K) = 1 then the decapsulated key K is returned, and ⊥ otherwise.
The amount of uncertainty the adversary has about the key (denoted as “plaintext uncertainty”
where for KEMs the plaintext is the symmetric key) is measured by the fraction of keys the
pedicate evaluates to 1. We require this fraction to be negligible, i.e. the adversary has to have
a high a priori knowledge about the decapsulated key when making a decapsulation query.
We now turn to a more formal definition. To an adversary A we associate the following
experiment Expccca
KEM ,A
(k).
Experiment Expccca
KEM ,A
(k)
(pk, sk)
$
← KEM.Kg(1k)
K∗
0
$
← K(k) ; (K∗
1 , C∗)
$
← KEM.Enc(pk)
b
$
← {0, 1}
b
$
← ACDec(·,·)(pk, K∗
b , C∗)
If b = b return 1 else return 0
CDec(predi, Ci)
K ← KEM.Dec(sk, Ci)
If K = ⊥ or predi(K) = 0 then ⊥
Else return K ∈ K
with the restriction that A is only allowed to query CDec(predi, Ci) on predicates predi that
are provided as PTA4 and on ciphertexts Ci different from the challenge ciphertext C∗.
We define the advantage of A in the experiment as
Advccca
KEM ,A(k) = Pr[Expccca
KEM ,A(k) = 1] −
1
2
.
For an adversary A, let tA denote the number of computational steps A runs (that includes
the maximal time to evaluate each predi once), and let QA be the number of decapsulation
queries A makes to its decapsulation oracle. For simplicity and without losing on generality,
we consider only adversaries for which tA and QA are independent of the environment that
A runs in. To adversary A in the above experiment we also associate A’s (implicit) plaintext
uncertainty uncertA(k) when making decapsulation queries. Informally, uncertA(k) measures
4
Technically, we charge the time required to evaluate each predi to A’s runtime and require that A be
polynomial-time.
6
7. the average fraction of keys that a predicate predi accepts, when running in environments that
are at least as efficient as the original CCCA experiment.5
Formally, for an adversary A and an environment E that A interacts with (e.g., E could be
the original CCCA experiment that interacts with A), define
uncertA,E(k) =
1
Q
1≤i≤Q
Pr
K∈K
[predi(K) = 1 when A runs with E] ,
where predi : K → {0, 1} is the predicate A submits in the ith decapsulation query. A CCCA
adversary A is called valid, iff
• A is PTA, and
• for all environments E satisfying tE ≤ tCCCA, we have that uncertA,E(k) is negligible in
k. Here, tCCCA denotes the runtime of the original CCCA experiment (not counting the
adversary runtime and the runtime taken for evaluating predicates).
Finally, a key encapsulation mechanism KEM is said to be indistinguishable against con-
strained chosen ciphertext attacks (IND-CCCA or simply CCCA) if for all valid PTA adver-
saries A, the advantage function Advccca
KEM ,A(k) is negligible in k.
It is worth pointing out that by making different restrictions on uncertA(k) our notion
of CCCA security leads to an interesting continuum between CPA and CCA security. With
the restriction uncertA(k) = 0 then CCCA = CPA; with the trivial restriction uncertA(k) ≤ 1
(which makes is possible to always use the constant predicate pred(K) := 1) then CCCA = CCA.
Concrete security. In the following, we will be interested in a concrete security treatment.
That is, we want not only an asymptotic security statement from an asymptotic computational
assumpion; we also want a statement that shows exactly how much security one gets from a
given non-asymptotic version of the assumption.
First, the notion of a valid adversary is asymptotic and thus doesn’t make sense in a concrete
treatment. We refine the central notion of uncert(·) therefore as follows:
uncertA(k) = max
E
tE ≤tCCCA
1
Q
1≤i≤Q
Pr
K∈K
[predi(K) = 1 when A runs with E] ,
where as before, tCCCA denotes the runtime of the original IND-CCCA experiment. Note that
we take the maximum of this average probability over all environments that are at least as
efficient as the original IND-CCCA experiment.
Now the non-asymptotic, concrete version of CCCA security can be captured as follows: for
integers k, t, Q, and for 0 ≤ µ ≤ 1, let
Advccca
KEM ,t,Q,µ(k) = max
A
tA≤t, QA≤Q,
uncertA(k)≤µ
Advccca
KEM ,A(k),
We also stress the following: demanding that Advccca
KEM ,t,Q,µ(k) be negligible for all polyno-
mials t, Q, and all negligible functions µ is not the same as demanding CCCA security. Namely,
5
One might wonder why we require a certain property of A’s submitted predicates even in more or less
arbitrary environments E (instead of, say, only in the CCCA game). The reason is that to show CCCA security
of a particular scheme, it will be helpful to use this stronger assumption on A in (slightly) modified environments
(e.g., in an already slightly modified CCCA game).
7
8. the former is the non-uniform version of CCCA security. (That is, CCCA security against ad-
versaries that are non-uniform, polynomial-sized circuit families.) This is not an artifact of our
definition, but a general phenomenon of definitions geared towards capturing concrete security.
In any case, all our reductions below consist of uniform reductions, so what we show is in fact
both uniform and non-uniform security.
An alternative formulation of CCCA security. We remark that it is possible to restrict
the CDec(·, ·) oracle in the CCCA experiment to only output predi(K) ∈ {0, 1} (and not
the key itself in case predi(K) = 1). Note that this does not restrict the adversary since in
case predi(K) = 1 it is always possible to reconstruct the whole key K by making |K(k)| =
poly(k) additional CCCA decapsulation queries with the predicates predi,j(K ) := “predi(K ) ∧
bitj(K ) = 1”, for 1 ≤ j ≤ |K(k)|. This determines the key K bit-wise.
3.2 Hybrid Encryption
Let KEM = (KEM.Kg, KEM.Enc, KEM.Dec) be a KEM and let AE = (AE.Enc, AE.Dec) be an
authenticated encryption scheme. We assume that the two schemes are compatible in the sense
that for all security parameters k, we have that the KEM’s and the AE’s key-space are equal.
Then we can consider a hybrid public key encryption scheme that encrypts arbitrary messages
M ∈ MsgSp. The construction of PKE = (PKE.kg, PKE.Enc, PKE.Dec) is as follows.
PKE.kg(1k )
(pk, sk)
$
← KEM.Kg(1k )
Return (pk, sk)
PKE.Enc(pk, M)
(K, C)
$
← KEM.Enc(pk)
ψ ← AE.Enc(K, M)
Return Cpke = (C, ψ)
PKE.Dec(sk, Cpke = (C, ψ))
K ← KEM.Dec(sk, C)
M ← AE.Dec(K, ψ)
Return M or ⊥
Here PKE.Dec returns ⊥ if either KEM.Dec or AE.Dec returns ⊥.
The following shows that a IND-CCCA secure KEM and a AE-OT secure authenticated
encryption scheme yields a IND-CCA secure PKE scheme.
Theorem 3.1 Assume KEM is secure in the sense of IND-CCCA and AE is secure in the sense
of AE-OT. Then PKE is secure in the sense of IND-CCA. In particular,
Advcca
PKE,t,Q(k) ≤ Advccca
KEM ,t,Q,2Advae-ot
AE,t
(k),E
(k) + (Q + 1) · Advae-ot
AE,t (k) +
Q
|K|
,
where t := t + tCCCA for the runtime tCCCA of the original IND-CCCA experiment.
The intuition of the proof is quite simple. The standard composition theorem [14] shows that
in the above construction a IND-CCA secure KEM can be combined with a CCA secure DEM.
Here we only require the KEM to be IND-CCCA secure. We deal with the full CCA decryption
queries in the hybrid PKE scheme as follows. A decryption query of an adversary in the IND-
CCA game consists of a KEM ciphertext C plus a DEM ciphertext ψ. In the reduction we use
the predicate predψ(·) defined as predψ(K) = 0 if AE.Dec(K, ψ) returns ⊥ and predψ(K) = 1
otherwise. (That is, ψ is hard-coded into predψ.) By the ciphertext authenticity property of
AE this predicate has small plaintext uncertainty, i.e. uncert(k) ≤ 2Advae-ot
AE,B(k). On the other
hand, this hybrid decryption query can be correctly simulated using the output from the CCCA
decapsulation query (which is a symmetric key or ⊥) since an inconsistent ψ (with respect to
the symmetric key) will already lead the predicate predψ(·) to be zero and hence the CCCA
decapsulation query correctly returns reject. For a consistent ψ the predicate evaluates to one
8
9. and the CCCA decapsulation query returns the correct symmetric key that in turn can be used
to obtain the message from ψ.
We now give a formal proof of Theorem 3.1.
Proof: Let A be an adversary on the IND-CCA security of the hybrid scheme. We will consider
a sequence of games, Game 1, Game 2, . . . , each game involving A. Let Xi be the event that in
Game i, it holds that b = b , i.e., that the adversary succeeds. We will make use of the following
simple “Difference Lemma” [14].
Lemma 3.2 Let X1,X2, B be events, and suppose that X1 ∧ ¬B ⇔ X2 ∧ ¬B. Then |Pr [ X1 ] −
Pr [ X2 ]| ≤ Pr [ B ].
Game 1. The original PKE IND-CCA game, i.e. we have
| Pr[X1] − 1/2| = Advcca
PKE,A(k) .
Game 2. Let C∗
pke = (C∗, ψ∗) be the challenge ciphertext in the PKE IND-CCA game. In
this game the decryption oracle in the first phase rejects all ciphertexts of the form Cpke =
(C∗, ∗). The view of adversary A is identical in Games 1 and 2 until a decryption query
(C∗, ∗) is made in the first phase of the IND-CCA experiment (so before A gets to see C∗).
Since the key K encapsulated in C∗ is uniformly distributed and independent of A’s view
in the first phase, we have
| Pr[X2] − Pr[X1]| ≤
Q
|K|
.
Note that each ciphertext uniquely determines a key.
Game 3. Replace the symmetric key K∗ used to create the PKE challenge ciphertext with a
random key K∗, uniformly independently chosen from K. The proof of the following key
lemma is postponed until later.
Lemma 3.3 | Pr[X3] − Pr[X2]| ≤ Advccca
KEM ,t,Q,2Advae-ot
AE,t (k)
(k).
Game 4. Reject all ciphertexts Cpke of the form (C∗, ∗). Since ψ∗ was generated using a
random key K∗ ∈ K that only leaks to A through ψ∗, authenticity of AE implies
| Pr[X4] − Pr[X3]| ≤ QA · Advae-ot
AE,Bae
(k)
for a suitable adversary Bae that simulates Game 3, using the LoRb with two identical
messages to obtain the AE part of the challenge ciphertext. Bae simply uniformly picks
one AE part of a decryption query of the form (C∗, ψ) to submit to the decrypt-or-reject
oracle DoR1(·).
Finally, Game 4 models one-time security of the AE scheme, and we have
| Pr[X4] − 1/2| ≤ Advae-ot
AE,t (k) .
Collecting the probabilities proves the theorem.
It leaves to prove Lemma 3.3.
9
10. Proof of Lemma 3.3: We show that there exists an adversary Bkem against the IND-CCCA
security of KEM with tBkem
= tA, QBkem
= QA, and for every PTA environment E there is an
adversary Bae against AE with tBae = tA + tE, such that
uncertBkem
(k) ≤ 2Advae-ot
AE,Bae
(k) (1)
Pr[X2] = Pr[Expccca
KEM ,Bkem
(k) = 1 | b = 1] (2)
Pr[X3] = Pr[Expccca
KEM ,Bkem
(k) = 1 | b = 0] . (3)
The adversary Bkem against the CCCA security of KEM is defined as follows. Bkem inputs
(pk, K∗
b , C∗) for an unknown bit b. First, Bkem runs A1 on input pk. For the ith decryption
query (Ci, ψi) made by adversary A1, adversary Bkem defines the function predi : K → {0, 1} as
predi(K) :=
0 : if AE.Dec(K, ψi) returns ⊥
1 : otherwise
Note that the symmetric ciphertext ψi is hard-coded into predi(·). Clearly, predi(·) is efficiently
computable. If Ci = C∗ then B returns ⊥. Otherwise, Bkem queries (predi, Ci) to its own oracle
CDec(·, ·) and receives the following answer: If KEM.Dec(sk, Ci) returns a key Ki ∈ K such that
AE.Dec(Ki, ψi) = ⊥, then CDec(predi, Ci) returns the key Ki. Otherwise (if KEM.Dec(sk, Ci) =
⊥ or if AE.Dec(Ki, ψi) = ⊥), CDec(predi, Ci) returns ⊥. Note that by the syntax of AE this
can be used to perfectly simulate A’s decryption queries.
For A’s encryption challenge for two messages M0, M1, Bkem uses its own input (K∗
b , C∗) together
with a random bit δ to create a challenge ciphertext C∗
pke = (C∗, ψ∗ ← AE.Enc(K∗
b , Mδ)) of
message Mδ. Adversary Bkem runs A2(C∗
pke, St1), answering decryption queries as defined above
with the difference that all decryption queries of the form (C∗, ψ) (with ψ = ψ∗) are answered
with withever AE.Dec(K∗
b , ψ) returns (a message or ⊥). Evntually, A2 returns a guess bit δ for
δ and Bkem concludes its game with outputting b = 1 if δ = δ and b = 0, otherwise. This
completes the description of Bkem.
Adversary Bkem always perfectly simulates A’s decapsulation queries. In case b = 1, Bkem uses
the real key K∗
1 for A’s simulation which implies Equation (2). In case b = 0, Bkem uses a
random key K∗
0 for A’s simulation which implies Equation (3).
The complexity bounds for Bkem are clear from the construction, and it is left to show that for
any given efficient environment E, uncertBkem
(k) = 2Advae-ot
AE,Bae
(k) for a suitable Bae.
To this end we build an adversary Bae against the AE security of AE as follows. Bae inputs
1k and internally simulates an interaction between A and E completely faithfully. However,
Bae additionally picks a random index j∗ ∈ {1, . . . , Q}. On A’s j∗ decryption query (Cj∗ , ψj∗ ),
Bae submits ψj∗ to its own decryption-or-reject oracle DoRb(·), and outputs b = 0 iff DoRb(·)
rejects with ⊥.
Now Bae will always output b = 0 if b = 0 by definition of DoR0. In case b = 1, Bae will output
b = 1 iff the ciphertext ψj∗ is valid in the sense AE.Dec(K , ψj∗ ) = ⊥ for an independent,
uniformly (by the AE experiment) chosen key K . So adversary Bae’s advantage is as follows.
Advae-ot
AE,Bae
(k) =
1
2
Pr[K
$
← K : AE.Dec(K , ψj∗ ) = ⊥] =
1
2QA
QA
j∗=1
predj∗ (K ) =
1
2
uncertBkem ,E(k),
where predj∗ (·) = AE.Dec(·, ψj∗ ) is the predicate adversary Bkem submits to oracle CDec as the
j∗th query.
10
11. 4 Efficient Key Encapsulation from DDH
4.1 Building blocks
We describe the building blocks used and assumptions made about them.
Group schemes. A group scheme GS [14] specifies a sequence (GRk)k∈N of group descriptions.
For every value of a security parameter k ∈ N, GRk specifies the four tuple GRk = (ˆGk, Gk, pk, gk)
(for notational convenience we sometimes drop the index k). GRk = (ˆG, G, p, g) specifies a finite
abelian group ˆG, along with a prime-order subgroup G, a generator g of G, and the order p
of G. We denote the identity element of G as 1G ∈ G. We assume that ˆG is of order q = p p
and that it takes |q| bits to represent an element in G. We further assume the existence of an
efficient sampling algorithm x
$
← G and an efficient membership algorithm that test if a given
element x ∈ ˆG is contained in the subgroup G.
We further assume the DDH problem is hard in GS, captured by defining the ddh-advantage
of an adversary Bddh as
Advddh
GS,Bddh
(k) =
1
2
|Pr[Bddh(g, h, ga
, ha
) = 1] − Pr[Bddh(g, h, ga
, K) = 1]| ,
where g, h, K
$
← G and a ← Z∗
p.
Authenticated Encryption. We need an abstract notion of algebraic authenticated encryp-
tion where the keyspace consists of G, secure in the sense of OT-AE. In Appendix D we recall
(following the encrypt-then-mac approach [5, 14]) how to build such algebraic AE satisfying all
required functionality and security from the following basic primitives:
• A (computationally secure) one-time symmetric encryption scheme with binary k-bit keys
(such as AES or padding with a PRNG)
• A (computationally secure) MAC (existentially unforgeable) with k-bit keys
• A (computationally secure) key-derivation function (pseudorandom).
We remark that for our purposes it is also possible to use a more efficient single-pass authen-
ticated encryption scheme (see, e.g., [31]). In both cases the the ciphertext expansion (i.e.,
ciphertext size minus plaintext size) of the AE scheme is only k (security parameter) bits which
is optimal with respect to our security notion.
Target Collision Resistant Hashing. TCR = (TCRk)k∈N is a family of keyed hash func-
tions TCRs
k : G → Zp for each k-bit key s. It is assumed to be target collision resistant
(TCR) [14], which is captured by defining the tcr-advantage of an adversary Btcr as
Advtcr
TCR,Btcr
(k) = Pr[TCRs
(c∗
) = TCRs
(c) ∧ c = c∗
: s
$
← {0, 1}k
; c∗ $
← G ; c
$
← Btcr(s, c∗
)].
Note TCR is a weaker requirement than collision-resistance, so that, in particular, any practical
collision-resistant function can be used. Also note that our notion of TCR is related to the
stronger notion of universal one-way hashing [25], where in the security experiment of the latter
the target value c∗ is chosen by the adversary (but before seeing the hash key s).
Commonly [14, 24] this function is implemented using a dedicated cryptographic hash func-
tion like MD5 or SHA, which we assume to be target collision resistant. Since |G| = |Zp| = p
we can alternatively also use a fixed (non-keyed) bijective encoding function INJ : G → Zp.
In that case we have a perfectly collision resistant hash function, i.e. Advtcr
INJ,Btcr
(k) = 0. In
Appendix C, we show how to build such bijective encodings for a number of concrete group
schemes.
11
12. 4.2 The key-encapsulation mechanism
Let GS be a group scheme where GRk specifies (ˆG, G, g, p) and let TCR : G → Zp be a target
collision resistant hash function (for simplicity we assume TCR to be non-keyed). We build a
key encapsulation mechanism KEM = (KEM.kg, KEM.Enc, KEM.Dec) with K = G as follows.
KEM.Kg(1k)
x, y, ω
$
← Z∗
p
u ← gx ; v ← gy ; h ← gω
pk ← (u, v, h) ∈ G3
sk ← (x, y, ω) ∈ (Zp)3
Return (sk, pk)
KEM.Enc(pk)
r
$
← Z∗
p ; c ← gr
t ← TCR(c) ; π ← (utv)r
C ← (c, π) ∈ G2
K ← hr ∈ G
Return (C, K)
KEM.Dec(sk, C)
Parse C as (c, π) ∈ ˆG × ˆG
if c ∈ G return ⊥
t ← TCR(c)
if cxt+y = π return ⊥
Return K ← cω
We stress that decryption never explicitly checks if π ∈ G; this check happens implicitly when
c ∈ G and cxt+y = π is checked.
A correctly generated ciphertext has the form C = (c, π) ∈ G × G, where c = gr and
π = (utv)r = (gxt+y)r = cxt+y. Hence decapsulation will not reject and compute the key
K = cω = hr, as in encapsulation.
Encryption takes four standard exponentiations plus one application of TCR, where the
generation of π can also be carried out as a single multi-exponentiation [7]. Decryption takes
two exponentiations plus one application of TCR, where the two exponentiations can also be
viewed as one sequential exponentiation [7] (which is as efficient as a multi-exponentiation) to
simultaneously compute cxt+y and cω.
Theorem 4.1 Let GS be a group scheme where the DDH problem is hard and assume TCR is
target collision resistant. Then KEM is secure in the sense of IND-CCCA. In particular,
Advccca
KEM ,t,Q,uncert(k)(k) ≤ Advddh
GS,t(k) + Advtcr
TCR ,t(k) + Q · uncert(k) +
Q
p
.
In combination with Theorem 3.1 we obtain the following concrete security result.
Corollary 4.2 The hybrid encryption scheme PKE obtained by combining KEM with authen-
ticated encryption AE is secure in the sense of IND-CCA. In particular,
Advcca
PKE,t,Q(k) ≤ Advddh
GS,t(k) + Advtcr
TCR ,t(k) + (2Q + 1) · Advae-ot
AE,t (k) +
2Q
p
.
Before we give a formal proof we give some intuition why the KEM is IND-CCCA secure.
The difficulty with the simulation is that an adversary against the DDH assumption (simulating
an adversary’s view) has to distinguish between consistent ciphertexts (i.e., ciphertexts for that
cxt+y = π holds) and inconsistent ciphertexts, without knowing the secret key. The idea of the
proof is as follows. The simulator inputs (g, h, c∗ = gr, K∗) and wants to distinguish K∗ = hr
from a random element in G. In the simulation the values u, v from the public-key are set-
up such that the tuple (c∗, π∗) can be used as the challenge ciphertext (for some efficiently
computable π∗) and the value K∗ as the session key. By construction, the corresponding real
session key is hr so breaking IND of the KEM is equivalent to solving the DDH problem. It
leaves to deal with the decapsulation queries under a CCCA attack. The simulator is not able to
distinguish consistent from inconsistent ciphertexts. However, the simualor uses an alternative
decapsulation algorithm with the following two properties:
12
13. • If the queried ciphertext is consistent (and as long as it is distinct from the challenge
ciphertext) then the alternative decapsulation algorithm yields the correct session key K.
This is done using an algebraic trick from selective-ID secure identity-based encryption [8].
• If the queried ciphertext is inconsistent then the alternative decapsulation algorithm yields
one virtual session key K that is uniformly distributed over G (in an information theoretic
sense). The probability space is taken over all possible secret keys of the simulator that
yield the public-key given to the adversary. Returning the virtual key K to the adversary
would completely determine the simulator’s secret key and hence also the virtual key K
for the next decapsulation query. However, in the IND-CCCA game it will be hard for an
adversary to provide sufficient information about K (in form of the predicate pred) such
that inconsistent decapsulation queries will nearly always lead to a rejection and the same
argument can be repeated iteratively.
We now turn to a formal proof.
Proof: First, if a key pair (pk, sk) with pk = (h, u, v) and sk = (ω, x, y) is clear from the context,
we call a ciphertext C = (c, π) consistent iff cxt+y = π holds for the tag t := TCR(c). Note that
C is hence consistent iff logg(c) = logutv(π).
Let A be an adversary on the IND-CCCA security of the KEM. We will consider a sequence of
games, Game 1, Game 2, . . . , each game involving A. Let Xi be the event that in Game i, it
holds that b = b , i.e., that the adversary succeeds.
Game 1. The KEM IND-CCCA game with random b ∈ {0, 1}, i.e., we have
| Pr[X1] − 1/2| = Advccca
KEM ,A(k) .
Let us fix some notation. Let C∗ = (c∗, π∗) = (ga, (ut∗
v)a) be the challenge ciphertext
(where t∗ = TCR(c∗)) and let K∗
1 = ha be the real challenge key.
Game 2. The decryption oracle immediately rejects all ciphertexts (c, π) with c = c∗ and
t = t∗ (TCR check). Since Game 1 and Game 2 proceed identically until c = c∗ and
TCR(c) = t = t∗ = TCR(c∗), we have Lemma 3.2
| Pr[X2] − Pr[X1]| ≤ Advtcr
TCR,Btcr
(k).
Game 3. Change generation of the secret key as follows. Pick uniformly values x1, x2, y1 ∈ Zp
with x2 = 0 and define
x = x1 + ωx2 ; y = y1 + ω(−t∗
x2) . (4)
Note that public and secret key have exactly the same distribution as in the last game.
We will now rewrite the experiment in terms of x1, x2, and y1 (our goal is to run the
experiment without knowledge of ω). Equation (4) defines the public key as
u = gx1
hx2
; v = gy1
h−t∗x2
(5)
Note that now the consistency check cxt+y = π needs to know ω. The change of the secret
key also implicitly affects the generation of the element π∗ in the challenge ciphertext.
Creation of challenge ciphertext C∗ and real key K∗
1 now simplifies to
c∗
= ga
; π∗
= (ga
)x1t∗+y1
; K∗
1 = ha
. (6)
13
14. Hence (c∗, π∗) is a correctly generated ciphertext for the real key K∗
1 with randomness a ∈
Zp since by Equations (4) and (5) we have (ut∗
v)a = (gx1t∗+y1 hx2(t∗−t∗))a = (ga)x1t∗+y1 =
π∗. Note that the experiment does not explicitly know the randomness a, only the values
ga and ha. Since the changes are purely conceptual we have
Pr[X3] = Pr[X2].
Game 4. Consider a query (pred, C) adversary A makes to the oracle CDec(·, ·) and recall
that pred : G → {0, 1} is some efficiently computable predicate. After the TCR check,
such a query is now processed in the following way. If the ciphertext C is inconsistent (this
is checked using ω) it gets rejected. If the ciphertext C = (c, π) is consistent (by C = C∗
at this point we have t = t∗) compute K as
K =
π
cx1t+y1
1
x2(t−t∗)
. (7)
If pred(K) = 0, then reject, and return K otherwise.
This change is purely conceptual since for any consistent ciphertext with t = t∗ we have π =
(utv)r = (gx1t+y1 hx2(t−t∗))r = cx1t+y1 Kx2(t−t∗) which implies correctness of Equation (7).
Consequently,
Pr[X4] = Pr[X3].
Game 5. A query (pred, C) adversary A makes to the oracle CDec(·, ·) is now processed in
the following way. After the TCR check, for all ciphertexts C = (c, π) (consistent and
inconsistent alike) the key K is decapsulated using Equation (7). If pred(K) = 0, then
reject, and return K otherwise.
Note that at this point the experiment does not make use of ω = logg h anymore and hence
the value h ∈ G from the public key can be generated as a random group element. The
proof of the following key lemma will be given later.
Lemma 4.3
| Pr[X5] − Pr[X4]| ≤ Q · (uncertA(k) +
1
p
)
.
Intuitively the lemma holds since for one inconsistent ciphertext submitted to the CDec(·, ·)
oracle, the virtual key K computed as in Equation (7) looks like a uniform and unde-
pendent element in the view of the adversary (the probability space is the redundancy
contained in sk that is information-theoretically hidden from pk). But for a random in-
dependent key K, the probability that pred(K) = 1 (meaning the ciphertext does not
get rejected) is bounded by uncertA(k) which is negligible by assumption. Hence, with
high probability the inconsistent ciphertext gets rejected and the virtual key K remains
hidden from the adversary’s view. This makes it possible to use a hybrid argument to
show that, with high probability, all inconsistent ciphertexts get rejected in Game 5, just
as in Game 4.
Game 6. The real challenge key K∗
1 is replaced by the random key K∗
0 ∈ G. Since in Game 5
we had K∗
1 = ha and apart from that the experiment was run using the values g, h, ga only
(where all three elements are random group elements), we have
| Pr[X6] − Pr[X5]| ≤ Advddh
G,Bddh
(k).
14
15. (Note that K∗
1 is only used for b = 1, which occurs with probability 1/2.)
Finally, in Game 6 the distribution of the challenge key K∗
0 does not depend on b, and
consequently
Pr[X6] = 1/2 .
Collecting the probabilities proves the theorem.
It leaves to prove Lemma 4.3.
Proof: For j ∈ {1, . . . , Q}, let Ej denote the event that in Game 4, adversary A submits as j-th
decryption query a ciphertext (Cj, predj) that gets rejected, but would not have been rejected
in Game 5. Let E := E1 ∨ . . . ∨ EQ. Analogously, let F denote the event that in Game 5,
adversary A submits at any point a decapsulation query that does not get rejected, but would
have been rejected in Game 4. Games 4 and 5 proceed identical unless a decapsulation query
gets treated differently. Consequently,
Pr [ X4 ∧ ¬E ] = Pr [ X5 ∧ ¬F ] and Pr [ E1 ] + . . . + Pr [ EQ ] ≥ Pr [ E ] = Pr [ F ]. (8)
Now consider events ˆEj, where for j ∈ {1, . . . , Q}, event ˆEj denotes that the j-th decryption
query (Cj, predj) in Game 4 gets rejected, but predj(K ) = 1 under an independently uniformly
chosen symmetric key K
$
← G. By definition of uncert(k) we have
1
Q
·
1≤j≤Q
Pr[ ˆEj]
≤ uncertA(k),
since Game 4 has the same complexity as the original IND-CCCA experiment.6 We now claim
that
for all j: | Pr[ ˆEj] − Pr[Ej]| ≤ 1/p . (9)
This implies
Pr [ E1 ] + . . . + Pr [ EQ ] ≤ Pr[ ˆE1] + . . . + Pr[ ˆEQ] +
Q
p
≤ Q · (uncertA(k) +
1
p
).
Combining this with (8) and using Lemma 3.2 proves the lemma.
It leaves to prove Equation (9). Fix a security parameter k and j ∈ {1, . . . , Q(k)}. Let C = (c, π)
be the ciphertext of the j-th decryption query in Game 4.
Let t := TCR(c), r := logg c, and β := logg π. Write furthermore ω = logg h, and x = logg u =
x1 + ωx2, y = logg v = y1 − t∗ωx2 as before. Then (c, π) is consistent iff π = (utv)r, or,
alternatively, iff β = r · (tx + y). Furthermore, if (c, π) is consistent, then Ej and ˆEj cannot be
fulfilled by definition. However, we claim that under the condition that (c, π) is inconsistent,
the “virtual key” K used to determine whether pred(K) = 1 or not (according to the rules of
6
There is some “fuzziness” here; depending on the used complexity model, Game 4 might have a complexity
which is only roughly that of the IND-CCCA game. Formally, a concrete security analysis requires in that case
that adversaries be also “valid when run in slightly more complex environments than the IND-CCCA game.” We
stress that such an extension to our theory is possible, in fact straightforward, and in particular yields the results
one would expect. However, such an extension also requires a more complex set of definitions. In the interest of
a clear presentation, we stick to the usual but formally non-rigorous convention that slight changes to a security
game do not add to its complexity.
15
16. Game 5) is, just as the key K of event ˆEj, uniformly distributed and independent of the choice
of the predicate pred. So assume β = r · (tx + y). For the key K from Game 5, it holds that
logg K = logg
π
ctx1+y1
1
x2(t−t∗)
=
1
x2(t − t∗)
(β − r · (tx1 + y1))
=
1
x2(t − t∗)
(β − r · (tx + y) − rωx2 · (t − t∗
)) =
1
x2(t − t∗)
(β − r · (tx + y))
=0
−rω
Define the mapping F through
F(X) := (X + rω) ·
t − t∗
β − r · (tx + y)
mod p.
By the assumptions β − r · (tx + y) = 0 and t − t∗ = 0, this mapping is well-defined and bijective
and only depends on information known (in an information-theoretic sense) to the adversary.
Hence, to show that, from A’s perspective, K is (almost) uniformly distributed, it suffices to
show that F(logg K) = 1/x2 mod p is (almost) uniformly distributed given a public key. But
a public key determines only x = x1 + ωx2 and y = y1 − t∗ωx2. Hence, x2 (and consequently
1/x2) is still uniformly and independently from A’s view distributed over {1, . . . , p − 1}. This
implies | Pr[ ˆEj] − Pr[Ej]| ≤ 1/p which is Equation (9).
4.3 Comparison with Cramer-Shoup and Kurosawa-Desmedt
The following table summarizes the key-encapsulation part of the (only IND-CPA secure) ElGa-
mal scheme [16], the Cramer-Shoup encryption scheme [14], the Kurosawa-Desmedt scheme [24],
and ours.
Scheme Ciphertext Encapsulated Key
ElGamal gr hr
Cramer-Shoup gr, ˆgr, (utv)r hr
Kurosawa-Desmedt gr, ˆgr (utv)r
Dual Kuroasawa-Desmedt (ours) gr, (utv)r hr
Here ˆg is another element from the public-key. Compared to the Cramer-Shoup scheme, the
Kurosawa-Desmedt scheme leaves out the value hr and defines (utv)r out the encapsulated key.
Our results shows that it is also possible to leave out the element ˆgr from the ciphertext and
that π = (utv)r is sufficient to authenticate c = gr. Hence, our scheme can be viewed as the dual
of (the KEM part of) the Kurosawa-Desmedt scheme. From another point of view, compared
to the IND-CPA secure ElGamal scheme our scheme adds one group element π = (utv)r to the
KEM ciphertext which is sufficient to prove it IND-CCCA secure under the DDH assumption.
From a technical point of view, our scheme mixes Cramer-Shoup like techniques [13] to obtain
a form of “plaintext awareness” for inconsistent ciphertexts with an “algebraic trick” from the
Boneh-Boyen identity-based encryption scheme [8] to decrypt consistent ciphertexts. Compared
to Cramer-Shoup based proofs [12, 14, 24, 2] the most important technical difference, caused
by the mentioned ability to decrypt consistent ciphertexts without knowing the full secret key,
is that during our simulation the challenge ciphertexts is never made inconsistent. Intuitively
this is the reason why we manage to maintain a consistent simulation using less redundancy in
the secret key. This demonstrates that IND-CCCA security can be obtained with constructions
that inherently differ from hash proof systems.
16
17. On the other hand, the security proofs of all schemes based on IBE-techniques [11, 10, 22,
23, 21] inherently relies on some sort of external consistency check for the ciphertexts. This
can be seen as the main reason why security of the IBE-based PKE schemes could only be
proved in pairing groups (or relative to a gap-assumption), where the pairing was neccessary for
helping the proof identifying inconsistent ciphertexts. In our setting, the consistency check is
done implicitly, using information-theoretic arguments borrowed from hash proof systems.
4.4 Explicit vs. implicit rejection
The scheme is given in its explicit-rejction variant, i.e. all inconsistent ciphertexts get imme-
diately rejected by the decapsulation algorithm. Following [14] we can also give an implicit-
rejection variant of the scheme, where inconsistent ciphertexts yield one uniform key and hence
will be rejected by the authenticity property of the DEM. Details are given in Appendix A. The
specific structure of the implicit-rejection KEM makes it possible to share the public elements g
and h among many parties since decryption does not depend on the knowledge of ω = logg(h)
anymore. Hence, similar to the Cramer-Shoup scheme, this implicit-rejection scheme can be used
in the setting of multi-recipient encryption [3], where one single message is being simultaneously
sent to a set of n different recipients.
4.5 A hash-free variant
Similar to [14] we can also give a hash-free variant of our scheme that abandons the hash
function TCR : G → Zp. This variant is useful when neither a bijective encoding nor a target-
colission resistant hash function TCR is available. In terms of computational efficiency and size
of public/secret keys the hash-free variant is slightly less efficient but security can be proved
relying solely on the DDH assumption. Details are given in Appendix B.
4.6 Efficiency
We compare our new DDH-based scheme’s efficiency with the one of Kurosawa and Desmedt
(in its more efficient “explicit-rejection” variant from [29]). Most importantly, the number of
exponentiations for encryption and decryption are equal in both schemes. Although our security
result is much more general (our KEM can be combined with any authenticated encryption
scheme) this is not an exclusive advantage of our scheme. In fact we can derive the same
result for the KD scheme from a more general theorem that we will prove in Section 6. (A
similar result about combining the Kurosawa-Desmedt scheme with authenticated encryption
was already obtained in [4] in the context of statefull encryption.)
However, there is one crucial difference in case one needs a scheme that is provably secure
solely on the DDH assumption. Note that security (of the KD scheme and ours) relies on
the DDH assumption and the assumption that TCR is target collision resistant. So as long
as one does not want to sacrifice provable security by implementing the TCR function with a
dedicated hash function like SHA-x or MD5 (what potentially renders the whole scheme insecure
given the recent progress in attacking certain hash functions [38, 39]), one must either resort
to inefficient generic constructions of TCR functions [25, 33], or one can use the “hash-free
technique” described in [14]. With this latter technique, one can get rid of the TCR function
completely; however, this comes at the cost of additional elements in the public and the secret
key, and additional exponentiations during encryption. This overhead is linear in the number of
elements that would have been hashed with the TCR. In the Kurosawa-Desmedt scheme, TCR
17
18. acts on two group elements whereas in our scheme only on one. Hence the hash-free variant of
our scheme is more efficient.
More importantly, since in our scheme a TCR is employed which maps one group element
to integers modulo the group-order this can also be a bijection. In many concrete groups,
e.g., when using the subgroup of quadratic residues modulo a safe prime or certain elliptic
curves, this bijection can be trivially implemented at zero cost [14, 10], without any additional
computational assumption, and without sacrificing provable security. See Appendix C for more
details. In terms of efficiency we view this as the main benefit of our scheme.
5 Key Encapsulation from n-Linear
5.1 Linear Assumptions
Let n = n(k) be a polynomial in k. Generalizing [9, 21] we introduce the class of n-Linear
assumptions which can be seen as a natural generalization of the DDH assumption and the
Linear assumption.
Let GS be a group scheme. We define the n-lin-advantage of an adversary Bn-lin as
Advn-lin
GS,Bn-lin
(k) =
1
2
Pr[Bn-lin(g1, . . . , gn, gr1
1 , . . . , grn
n , h, hr1+...+rn
) = 1]
− Pr[Bn-lin(g1, . . . , gn, gr1
1 , . . . , grn
n , h, K) = 1] ,
where g1, . . . , gn, h, K
$
← G and all ri ← Z∗
p. We say that the n-Linear Decisional Diffie-Hellman
(n-Linear) assumption relative to group scheme GS holds if Advn-lin
GS,Bn-lin
is a negligible function
in k for all polynomial-time adversaries Bn-lin.
The n-Linear assumptions form a strict hierarchy of security assumptions with 1-Linear
= DDH, 2-Linear=Linear [9] and, the larger the n, the weaker the n-Linear assumption. More
precisely, for any n ≥ 1 we have that n-Linear implies n+1-Linear. On the other hand (extending
the case of n = 1 [9]) we can show that in the generic group model [35], the n+1-Linear
assumption holds, even relative to an n-Linear oracle.
Lemma 5.1 DDH = 1-Linear
⇐
⇒ 2-Linear
⇐
⇒ 3-Linear
⇐
⇒ . . .
5.2 The key-encapsulation mechanism
Let GS be a group scheme where GRk specifies (ˆG, G, g, p) and let TCR : Gn+1 → Zp be a target
collision resistant hash function. Generalizing the Kurosawa-Desmedt KEM, for a parameter
n = n(k) ≥ 1, we build KEM = (KEM.Kg, KEM.Enc, KEM.Dec) as follows.
Key generation KEM.Kg(1k) generates random group elements g1, . . . , gn, h ∈ G. Further-
more, it defines uj = g
xj
j hz and vj = g
yj
j hz for random z, z ∈ Zp and xj, yj ∈ Zp (j ∈ {1, . . . , n}).
The public key contains the elements h, (gj, uj)1≤i≤n, and the secret key contains all correspond-
ing indices.
KEM.Enc(pk)
∀j ∈ {1, . . . , n}: rj
$
← Z∗
p ; cj ← g
rj
j
d ← hr1+...+rn ; t ← TCR(c1, . . . , cn, d)
C ← (c1, . . . , cn, d) ; K = n
i=1(ut
ivi)ri
Return (C, K)
KEM.Dec(sk, C)
∀j ∈ {1, . . . , n}: check if cj ∈ G
Check if d ∈ G
t ← TCR(c1, . . . , cn, d)
Return K ← dzt+z · n
j=1 c
xjt+yj
j
18
19. Ciphertexts contain n + 1 group elements, public/secret keys 2n + 1 elements. The scheme
instantiated with n = 1 precisely reproduces the KEM part of the Kurosawa-Desmedt encryption
scheme [24]. We remark that the scheme is presented in its implicit-rejection variant. It is also
possible to give a variant that explicitly rejects inconsistent ciphertexts.
Security of the schemes can be explained using the more general framework of computational
hash-proof systems. This will be done in Section 6.
Theorem 5.2 Let GS be a group scheme where the n-Linear problem is hard, assume TCR is
target collision resistant. Then KEM is secure in the sense of IND-CCCA.
5.3 The Dual Key Encapsulation Mechanism
Let GS be a group scheme where GRk specifies (ˆG, G, g, p) and let TCR : Gn → Zp be a
target collision resistant hash function. Generalizing our scheme from Section 4 for a parameter
n = n(k) ≥ 1, we build KEM = (KEM.Kg, KEM.Enc, KEM.Dec) as follows.
Key generation KEM.Kg(1k) generates random group elements g1, . . . , gn, h ∈ G and indices
ωj such that h = g
ωj
j . Furthermore it defines uj = g
xj
j and vj = g
yj
j for random xj, yj ∈ Zp
(j ∈ {1, . . . , n}). The public key contains the elements h, (gj, uj, vj)1≤i≤n, and the secret key
contains all corresponding indices.
KEM.Enc(pk)
∀j ∈ {1, . . . , n}: rj
$
← Z∗
p ; cj ← g
rj
j
t ← TCR(c1, . . . , cn)
π ← n
j=1(ut
jvj)rj
C ← (c1, . . . , cn, π) ; K ← hr1+...+rn
Return (C, K)
KEM.Dec(sk, C)
∀j ∈ {1, . . . , n}: check if cj ∈ G
t ← TCR(c1, . . . , cn)
If n
j=1 c
xjt+yj
j = π return ⊥
Return K ← n
j=1 c
ωj
j
Correctness of the scheme can be verified analogously to Section 4. Ciphertexts contain n + 1
group elements, public/secret keys 3n+1 elements. The scheme instantiated with n = 1 precisely
reproduces our DDH-based dual KD-KEM from Section 4.
Theorem 5.3 Let GS be a group scheme where the n-Linear problem is hard, assume TCR is
target collision resistant. Then KEM is secure in the sense of IND-CCCA. In particular,
Advccca
KEM ,t,Q,uncert(k),E(k) ≤ Advn-lin
GS,t (k) + Advtcr
TCR ,t(k) + uncert(k) +
Qn
p
.
for a suitable environment E that roughly has the same complexity as the IND-CCCA experi-
ment.
The proof of Theorem 5.3 is similar to the one of Theorem 4.1. We quickly sketch the sim-
ulation of the adversary’s view. Given the values (g1, . . . , gn, c∗
1 = gr1
1 , . . . , c∗
n = grn
n , h, T)
from the n-Linear problem (where T = hr1+...+rn or random) the simulator picks random
˜x1, . . . , ˜xn, ˜y1, . . . , ˜yn, z ∈ Z∗
p and defines the values (ui)1≤i≤n and (vi)1≤i≤n as
ui = g ˜xi
i · hz
, vi = g ˜yi
i · h−t∗z
,
where t∗ = TCR(c∗
1, . . . , c∗
n). Note that (in an information theoretic sense) through the public-key
the adversary knows exactly 2n linear equations in the 2n + 1 variables ˜x1, . . . , ˜xn, ˜yi, . . . , ˜yn, z.
The challenge ciphertext is defined as C∗ = (c∗
1, . . . , c∗
n, n
i=1 c∗
i
˜xit∗+ ˜yi
) and the encapsulated key
19
20. as T which is either the real key hr1+...+rn or a random key. For a CCCA decapsulation query
(C, pred) the virtual key K is computed as
K =
π
n
i=1 c ˜xit+ ˜yi
1
1
z(t−t∗)
and K is only returned to the adversary if pred(K) = 1. As in the proof of Theorem 4.1 it can
be verified that (i) if C is consistent then K is the correct key; (ii) if C is inconsistent then (from
the adversary’s view) K is a uniform random element in G and hence, with high probability,
the query will be rejected by the predicate test.
6 Key encapsulation from Hash Proof Systems
In [13] Cramer and Shoup showed that their original scheme in [14] was a special instance of a
generic framework based on hash proof systems (HPS). In this section we further elaborate on
the usefulness of Constrained chosen-ciphertext secure KEMs by showing that they can be built
from any hash-proof system.
Following [24] we recall the basic ideas and show how to build IND-CCCA secure key encap-
sulation based on a computational variant of hash proof systems. Here we use a slightly different
notation that reflects our primary use of hash-proof systems as key-encapsulation mechanisms.
6.1 Hash proof systems
Let C, K be sets and V ⊂ C a language. Let Dsk : C → K be a hash function indexed with
sk ∈ S, where S is a set. A hash function Dsk is projective if there exists a projection µ : S → P
such that µ(sk) ∈ P defines the action of Dsk over the subset V. That is, for every C ∈ V, the
value K = Dsk (C) is uniquely determined by µ(sk) and C. In contrast, nothing is guaranteed
for C ∈ C V, and it may not be possible to compute Dsk (C) from µ(sk) and C. A strongly
universal2 projective hash function has the additional property that for C ∈ C V, the projection
key µ(sk) actually says nothing about the value of K = Dsk (C), even given an instance (C∗, K∗)
such that C∗ ∈ C V and K∗ = Dsk (C). More precisely, for all pk ∈ P, C, all C∗ ∈ C V with
C = C∗, all K, K∗ ∈ K,
Pr
sk∈S
Dsk (C∗)=K∗
µ(sk)=pk
[Dsk (C) = K] = 1/|K|. (10)
A hash proof system HPS = (HPS.param, HPS.pub, HPS.priv) consists of three algorithms.
The randomized algorithm HPS.param(1k) generates instances of params = (group, C, V, P, S, D(·) :
C → K, µ : S → P), where group may contain some additional structural parameters. The de-
terministic public evaluation algorithm HPS.pub inputs the projection key pk = µ(sk), C ∈ V
and a witness w of the fact that C ∈ V and returns K = Dsk (C). The deterministic private
evaluation algorithm inputs sk ∈ S and returns Dsk (C), without knowing a witness. We further
assume there are efficient algorithms given for sampling sk ∈ S and sampling C ∈ V uniformly
together with a witness w.
As computational problem we require that the subset membership problem is hard in HPS
which means that the two elements C and C are computationally indistinguishable, for random
C ∈ V and random C ∈ CV. This is captured by defining the advantage function Advsm
HPS,A(k)
20
21. of an adversary A as
Advsm
HPS,A(k) := Pr[C1
$
← C ; b
$
← A(C, V, C1) : b = 1 ]
− Pr[C0
$
← C V ; b
$
← A(C, V, C0) : b = 1 ] .
6.2 Key encapsulation from HPS
Using the above notion of a hash proof system, Kurosawa and Desmedt [24] proposed a hybrid
encryption scheme which improved the schemes from [13]. The key-encapsulation part of it is
as follows. The system parameters of the scheme consist of params
$
← HPS.param(1k).
KEM.Kg(k). Choose random sk
$
← S and define pk = µ(sk) ∈ P. Return (pk, sk).
KEM.Enc(pk). Pick C
$
← V together with its witness ω that C ∈ V. The session key K =
Dsk (C) ∈ K is computed as K
$
← HPS.pub(pk, C, ω). Return (K, C).
KEM.Dec(sk, C). Reconstruct the key K = Dsk (C) as K ← HPS.priv(sk, C) and return K.
We can prove the following theorem that is a slight generalization of [24].
Theorem 6.1 If HPS is strongly universal2 and the subset membership problem is hard in HPS
then KEM is secure in the sense of IND-CCCA.
Unfortunately, the original KEM part of the Kurosawa Desmedt DDH-based hybrid encryption
scheme [24] cannot be explained using this framework and hence needed a separate proof of
security. This is since the underlying DDH-based hash proof system involves a target collision
resistant hash function TCR which is a “computational primitive” whereas the strongly universal2
property from Equation (10) is a statistical property which is in particular not fulfilled by the
DDH-based HPS from [13] used in [24]. In fact, the most efficient HPS-based schemes that are
known involve computation of a TCR function and hence all need a separate proof of security.
We note that this problem is inherited from the original HPS approach [14].
We overcome this problem we defining the weaker notion of computational hash proof systems.
6.3 Computational hash proof systems
We now define a weaker computational variant of strongly universal2 hashing. To an adversary
B we associate the following experiment Expcu2
HPS,B
.
Experiment Expcu2
HPS,B
(k)
params
$
← HPS.param(1k) ; sk
$
← S ; pk ← µ(sk)
C∗ $
← C V ; K∗ ← Dsk (C∗) ; (C, St)
$
← B
EvalD(·)
1 (pk, C∗, K∗)
b
$
← {0, 1} ; K0
$
← K ; K1 ← Dsk (C)
b
$
← B2(St, Kb)
If b = b return 1 else return 0
where the evaluation oracle EvalD(C) returns K = Dsk (C) if C ∈ V and ⊥, otherwise. We also
restrict to adversaries that only return ciphertexts C = C∗ and that ensure C ∈ C V. This
21
22. is without losing generality, since B1 can check C ∈ V with its oracle EvalD. We define the
advantage of B in the experiment as
Advcu2
HPS,B
(k) = Pr[Expcu2
HPS,B
(k) = 1] −
1
2
.
A hash proof system HPS is said to be computationally universal2 (CU2) if for all polynomial-
time adversaries B that satisfy these requirements, the advantage function Advcu2
HPS,B
(k) is a
negligible function in k.
The following theorem strengthens Theorem 6.1.
Theorem 6.2 If HPS is computationally universal2 and the subset membership problem is
hard then KEM from Section 6.2 is IND-CCCA secure. In particular,
Advccca
KEM ,t,Q,uncert(k)(k) ≤ Advsm
HPS,t(k) + Q · uncert(k) + (2Q + 1) · Advcu2
HPS,t
(k)).
Proof: Let A be an adversary on the IND-CCCA security of the KEM. We will consider a
sequence of games, Game 1, Game 2, . . . , each game involving A. Let Xi be the event that in
Game i, it holds that b = b , i.e., that the adversary succeeds.
Game 1. The KEM IND-CCCA game with random b ∈ {0, 1}, i.e., we have
| Pr[X1] − 1/2| = Advccca
KEM ,A(k) .
As this point we can assume that the real key K∗
1 is computed as K∗
1 = Dsk (C∗) for a
uniformly chosen C∗ $
← V whereas the random key K∗
0 is computed as K∗
0
$
← K.
Game 2. Replace the challenge ciphertext with C∗ $
← C V and still create the real challenge
key as K∗
1 = Dsk (C∗).
| Pr[X2] − Pr[X1]| ≤ Advsm
HPS,A(k)
Game 3. Let (predj, Cj) be the jth decapsulation query made by A. Decapsulation now
checks if C ∈ V. (Note that this check needs not be efficiently implementable.) If yes it
returns K = Dsk (C). If not, it rejects.
Let Ej be the event that Cj ∈ C V but predj(Kj) = 1, and define
−→
E j = E1 ∨ . . . ∨ Ej,
and E =
−→
E Q. Since unless E happens, the Games 2 and 3 proceed indentically, we have
| Pr[X3] − Pr[X2]| ≤ Pr[E].
We now upper bound Pr[E]. Let ˆEj be the event that Cj ∈ C V but predj(K ) = 1 for
an independently uniformly chosen key K ∈ K.
To do so, we define the following adversary B = (B1, B2) against CU2 of HPS. Adversary
B1 inputs (pk, C∗
1 , K∗
1 ) and first uniformly chooses j∗ ∈ {1, . . . , Q}. It then provides A
with (pk, C∗
1 , K∗
1 ). For 1 ≤ i ≤ j∗ − 1, adversary A’s ith decapsulation query (predi, Ci)
is processed as follows. First B1 calls EvalD(Ci) to obtain Ki or ⊥. If the answer
was ⊥ (which means that Ci ∈ V) it returns ⊥ to A. Otherwise (Ci ∈ V) B1 defines
Ki ← EvalD(Ci) = KEM.Dec(sk, Ci) and returns Ki if predi(Ki) = 1 and ⊥, otherwise.
Adversary A’s j∗-th decapsulation query (predj∗ , Cj∗ ) is processed as follows. If EvalD(Cj∗ )
yields ⊥ (meaning Cj∗ ∈ V) then B1 terminates and lets B2 return b = 0. Otherwise, B1
22
23. returns Cj∗ to its own CU2 experiment. Finally, B2 inputs a challenge key Kb and returns
b = predj∗ (Kb) to its experiment and terminates.
We now analyze B’s success probability. In analogy to the events ˆEj, define events Fj and
ˆFj. Here, Fj denotes the probability that in the setting which B simulates for A (i.e., in a
setting in which all A gets all queries C ∈ C V rejected), the j-th query Cj is ∈ C V but
predj(Kj) = 1. Analogously, ˆFj denotes the event that in this setting, Cj is ∈ C V but
predj(Kj) = 1 for a uniformly and independently chosen key Kj. Define
−→
F j = F1 ∨. . .∨Fj
and
−→
ˆF j = ˆF1 ∨ . . . ∨ ˆFj as above.
Now we inductively show that for all j, we have Pr[
−→
F j] = Pr[
−→
E j] and Pr[
−→
F j] = Pr[
−→
E j].
For j = 1, this is clear from the definition. For j > 1, we have inductively
Pr[
−→
F j] = Pr[
−→
F j ∧
−→
F j−1] + Pr[
−→
F j ∧ ¬
−→
F j−1] = Pr[
−→
F j−1] + Pr[
−→
F j | ¬
−→
F j−1] · Pr[¬
−→
F j−1]
(∗)
= Pr[
−→
E j−1] + Pr[
−→
E j | ¬
−→
E j−1] · Pr[¬
−→
E j−1]
= Pr[
−→
E j−1] + Pr[
−→
E j | ¬
−→
E j−1] · Pr[¬
−→
E j−1] = Pr[
−→
E j].
In (∗), we use not only the induction hypothesis, but also the fact that Pr[
−→
F j | ¬
−→
F j−1] =
Pr[
−→
E j | ¬
−→
E j−1] for every j by definition of Ej and Fj. Similarly, we can show Pr[
−→
ˆF j] =
Pr[
−→
ˆE j] for arbitrary j ∈ {1, . . . , Q}.
We split Advcu2
HPS,t
(k) into
Advcu2
HPS,t
(k) =
1
2
· Pr[b = 1 | b = 1] +
1
2
· Pr[b = 0 | b = 0] −
1
2
=
1
2
· Pr[b = 1 | b = 1] − Pr[b = 1 | b = 0]
and consider the two summands seperately. Now note that by definition of B, we have
Pr[b = 1 | b = 1] =
1
Q
Q
j=1
Pr[Fj] ≥
1
Q
Pr[F]
=
1
Q
Q
j=1
Pr[Fj |
−→
F j−1] =
1
Q
Q
j=1
Pr[Ej |
−→
E j−1] =
1
Q
Pr[E],
whereas
Pr[b = 1 | b = 0] =
1
Q
Q
j=1
Pr[ ˆFj] = uncertA(k),
since Game 2 has the same complexity as the original IND-CCCA game.7 Summarizing,
we obtain
| Pr[X3] − Pr[X2]| ≤ Pr[E] ≤ Q · 2Advcu2
HPS,t
(k) + uncertA(k) ,
7
cf. footnote 6
23
24. Game 4. The real challenge key K∗
1 is replaced by the random key K∗
0 ∈ K. We have
| Pr[X4] − Pr[X3]| ≤ Advcu2
HPS,t
(k)
Finally, since in Game 4 the distribution of the challenge key K∗
0 is independent of b we
have
Pr[X4] = 1/2 .
Collecting the probabilities proves the theorem.
6.4 A computational HPS from n-Linear
Let GS be a group scheme where GRk specifies (ˆG, G, g, p). Let group = (GR, g1, . . . , gn, h),
where g1, . . . , gn, h are independent generators of G. Define C = Gn+1 and V = {(gr1
1 , . . . , grn
n ,
hr1+...+rn ) ⊂ Gn+1 : r1, . . . , rn ∈ Zp} The values (r1, . . . , rn) ∈ Zn
p are a witness of C ∈ V.
Let TCR : Gn+1 → Zp be a target collision resistant hash function. Let S = Z2n+2
p , P = G2n,
and K = G. For sk = (x1, y1, . . . , xn, yn, z, z ) ∈ Z2n+2, define µ(sk) = (u1, . . . , un, v1, . . . , vn),
where, for 1 ≤ i ≤ n, ui = gxi
i hz and vi = gyi
i hz . This defines the output of HPS.param(1k). For
C = (c1, . . . , cn, d) ∈ C define
Dsk (C) := dzt+z
·
n
i=1
cxit+yi
i , where t = TCR(c1, . . . , cn) . (11)
This defines HPS.priv(sk, C). Given pk = µ(sk), C ∈ V and a witness w = (r1, . . . , rn) ∈ (Zp)n
such that C = (c1, . . . , cn, d) = (gr1
1 , . . . , grn
n , hr1+...+rn ) public evaluation HPS.pub(pk, C, w)
computes K = Dsk (C) as
K =
n
i=1
(ut
ivi)ri
.
Correctness follows by Equation (11) and the definition of µ. This completes the description of
HPS. Clearly, under the n-Linear assumption, the subset membership problem is hard in HPS.
Obviously, the above defined HPS is not strongly universal2 in the sense of Equation (10).
But it is still computationally universal2.
Lemma 6.3 The n-Linear based HPS is computationally universal2.
Together with Theorem 6.2 this proves Theorem 5.2. For the case n = 1 this also gives an
alternative security proof for the Kurosawa-Desmedt scheme [24].
Proof: Consider an adversary B in the CU2 experiment such that B1 outputs a ciphertext
C ∈ C V and let K ← Dsk (C). Let col be the event that C = C∗ but TCR(C) = TCR(C∗).
We claim that for the following adversary Btcr we have Advtcr
TCR,Btcr
(k) = Pr[col]. Adversary
Btcr inputs (s, C∗) and generates a random instance of params with known indices αi such that
h = gαi . Furthermore, Btcr picks a random sk ∈ S and runs B1 on pk = µ(sk), a random
C∗ ∈ C V, and K∗ = Dsk (C∗). To answer a query to the evaluation oracle EvalD(·), Btcr fist
verifies C = (c1, . . . , cn, d) ∈ V by checking if cαi
i = d. If not, return ⊥. Otherwise it returns
K = Dsk (C). If for a decapsulation query C event col happens, Btcr returns C to its TCR
experiment and terminates.
Now we claim that conditioned under ¬col, the key K = Dsk (C) is a uniform element in K
independent of the adversary’s view. This implies that not even a computationally unbounded
24
25. B2 could succeed in the second stage. Hence, Advcu2
HPS,B
(k) ≤ Advtcr
TCR,Btcr
(k), which proves the
lemma.
Let log(·) = logg(·). Consider the view of B2 consisting of the random variables (pk, C∗, K∗, C),
where sk = (x1, y1, . . . , xn, yn, z, z )
$
← Z2n+2, pk = µ(sk) = (u1, . . . , un, v1, . . . , vn), C∗ =
(c∗
1, . . . , c∗
n, d∗) = (g
r∗
1
1 , . . . , g
r∗
n
n , hr∗
) with r∗
i = r∗ since C∗ ∈ C V, K∗ = Dsk (C∗), and
C = (c1, . . . , cn, d) = (gr1
1 , . . . , grn
n , hr) ( ri = r since C ∈ C V). From the system parameters
g1, . . . , gn, h, adversary B2 learns ω = log h, ωi = log gi, and from pk
for 1 ≤ i ≤ n : log ui = ωixi + ωz, log vi = ωiyi + ωz . (12)
From C∗ the adversary learns r∗
i = loggi
c∗
i , r∗ = logh d∗, and from K∗ (by Equation (11)) the
value
log K∗
= ωir∗
i (xit∗
+ yi) + ω(zt∗
+ z ) , (13)
and t∗ = TCR(c∗
1, . . . , c∗
n, d∗). Furthermore, from C, B2 learns ri = loggi
ci and r = logh d. Let
K = Dsk (C). Our claim is that
log K = ωiri(xit + yi) + ω(zt + z ) , (14)
with t = TCR(C) = t∗, is a uniform and independent element in Zp. Consider the set of linear
equations over the hidden values x1, . . . , xn, y1, . . . , yn, z, z defined by Equations (12), (13), and
(14), defined by the matrix M ∈ Zn+2×n+2
p ,
M =
x1 . . . xn y1 . . . yn z z0
B
B
B
B
B
B
B
B
B
B
B
B
B
@
ω1 ω
... 0
... 0
ωn ω
ω1 ω
0
... 0
...
ωn ω
ω1r∗
1 t∗
· · · ωnr∗
nt∗
ω1r∗
1 . . . ωnr∗
n ωt∗
r∗
ωr∗
ω1r1t · · · ωnrnt ω1r1 . . . ωnrn ωtr ωr
1
C
C
C
C
C
C
C
C
C
C
C
C
C
A
Since det(M) = ω2 ωi(t − t∗)( n
i=1 ri − r)( n
i=1 r∗
i − r∗) = 0, Equation (14) is linearly inde-
pendent of (12) and (13).
6.5 A computational HPS based on Paillier
For a reader familiar with this concept we briefly sketch a computational hash-proof system
based on Paillier’s Decision Composite Residuosity (DCR) assumption [13]. For more details
we refer the reader to [27, 13]. Let p1, q1, p2, q2 be primes where p1 = 2p2 + 1 and q1 = 2q2 + 1.
Define N1 = p1q1 and N2 = p2q2. Consider
Z∗
N2
1
= GN1 × GN2 × G2 × T .
The subgroup G ⊆ Z∗
N2
1
given by G = GN1 × GN2 is cyclic of order N1N2. Let g be a generator
of G. Then g1 = gN2 is a generator of GN1 and g2 = gN1 is a generator of GN2 . Each element
h ∈ ZN2
1
can be uniquely written as h = h1N1 + h2, where 0 ≤ h1, h2 < N1. We define
[h]2 = h2 = h mod N1.
25
26. Let N1, g2 be public parameters (that implicitly define the secret N2). Define C = G and
V = GN2 . Let TCR : C → Z N2
1 /2 be a target collision resistant hash function. For a C = gr
2 ∈
V ⊂ C, the element r ∈ W = {0, . . . , N2 − 1} is a witness (for C ∈ V). Since N2 is unknown,
public sampling from the set V is done by picking random r ∈ W = {0, . . . , N1/4 } ≈ W and
computing C = gr
2. Let K = {0, . . . , N2
1 /2 } ≈ {0, . . . , N1N2 − 1}. The set S is defined as
S = {(x, y) : x, y ∈ K} and the projection µ : S → P as µ(sk) = (u = gx
2 , v = gy
2) ∈ P =
G2
N2
. The hash function Dsk : C → K = ZN1 is defined as Dsk (C) = [Cxt+y mod N2
1 ]2, where
t = TCR(C). Given witness r ∈ W such that C = gr
2 ∈ V and (u, v) = µ(sk), public evaluation
HPS.pub computes K = Dsk (C) as K = [(utv)r mod N2
1 ]2. For correctness we refer to [13]. This
completes the description of the hash-proof system HPS.
As shown in [13], the subset membership problem is hard if the DCR assumption holds.
Using the techniques from [13] it is now easy to show that if TCR is target collision resistant,
then HPS is a computationally universal2.
Acknowledgements
We thank Ronald Cramer, Jorge Villar, Chen Yuan, and Moti Yung for their comments. We
thank Serge Vaudenay for pointing out the alternative definition of CCCA security.
References
[1] Masayuki ABE, Rosario Gennaro, and Kaoru Kurosawa. Tag-KEM/DEM: A new frame-
work for hybrid encryption. Cryptology ePrint Archive, Report 2005/027, 2005. http:
//eprint.iacr.org/. (Cited on page 3.)
[2] Masayuki Abe, Rosario Gennaro, Kaoru Kurosawa, and Victor Shoup. Tag-KEM/DEM:
A new framework for hybrid encryption and a new analysis of Kurosawa-Desmedt KEM.
In Ronald Cramer, editor, EUROCRYPT 2005, volume 3494 of LNCS, pages 128–146.
Springer-Verlag, Berlin, Germany, May 2005. (Cited on page 2, 3, 16.)
[3] M. Bellare, A. Boldyreva, K. Kurosawa, and Jessica Staddon. Multi-recipient encryption
schemes: How to save on bandwidth and computation without sacrificing security. IEEE
Transactions on Information Theory, ???(???), 2007. (Cited on page 17, 30.)
[4] Mihir Bellare, Tadayoshi Kohno, and Victor Shoup. Stateful public-key cryptosystems:
How to encrypt with one 160-bit exponentiation. In Ari Juels, Rebecca N. Wright, and
Sabrina De Capitani di Vimercati, editors, ACM CCS 06, pages 380–389. ACM Press,
October / November 2006. (Cited on page 17.)
[5] Mihir Bellare and Chanathip Namprempre. Authenticated encryption: Relations among
notions and analysis of the generic composition paradigm. In Tatsuaki Okamoto, editor,
ASIACRYPT 2000, volume 1976 of LNCS, pages 531–545. Springer-Verlag, Berlin, Ger-
many, December 2000. (Cited on page 11, 32, 33.)
[6] Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing
efficient protocols. In V. Ashby, editor, ACM CCS 93, pages 62–73. ACM Press, November
1993. (Cited on page 2.)
[7] D. J. Bernstein. Pippenger’s exponentiation algorithm. Available from http://cr.yp.to/
papers.html#pippenger, 2001. (Cited on page 12.)
26
27. [8] Dan Boneh and Xavier Boyen. Efficient selective-ID secure identity based encryption with-
out random oracles. In Christian Cachin and Jan Camenisch, editors, EUROCRYPT 2004,
volume 3027 of LNCS, pages 223–238. Springer-Verlag, Berlin, Germany, May 2004. (Cited
on page 13, 16.)
[9] Dan Boneh, Xavier Boyen, and Hovav Shacham. Short group signatures. In Matthew
Franklin, editor, CRYPTO 2004, volume 3152 of LNCS, pages 41–55. Springer-Verlag,
Berlin, Germany, August 2004. (Cited on page 3, 4, 18.)
[10] Xavier Boyen, Qixiang Mei, and Brent Waters. Direct chosen ciphertext security from
identity-based techniques. In Vijayalakshmi Atluri, Catherine Meadows, and Ari Juels,
editors, ACM CCS 05, pages 320–329. ACM Press, November 2005. (Cited on page 2, 17,
18, 30, 31, 32.)
[11] Ran Canetti, Shai Halevi, and Jonathan Katz. Chosen-ciphertext security from identity-
based encryption. In Christian Cachin and Jan Camenisch, editors, EUROCRYPT 2004,
volume 3027 of LNCS, pages 207–222. Springer-Verlag, Berlin, Germany, May 2004. (Cited
on page 2, 17.)
[12] Ronald Cramer and Victor Shoup. A practical public key cryptosystem provably secure
against adaptive chosen ciphertext attack. In Hugo Krawczyk, editor, CRYPTO’98, volume
1462 of LNCS, pages 13–25. Springer-Verlag, Berlin, Germany, August 1998. (Cited on
page 1, 2, 16.)
[13] Ronald Cramer and Victor Shoup. Universal hash proofs and a paradigm for adaptive chosen
ciphertext secure public-key encryption. In Lars R. Knudsen, editor, EUROCRYPT 2002,
volume 2332 of LNCS, pages 45–64. Springer-Verlag, Berlin, Germany, April / May 2002.
(Cited on page 1, 2, 3, 16, 20, 21, 25, 26.)
[14] Ronald Cramer and Victor Shoup. Design and analysis of practical public-key encryption
schemes secure against adaptive chosen ciphertext attack. SIAM Journal on Computing,
33(1):167–226, 2003. (Cited on page 1, 2, 4, 5, 6, 8, 9, 11, 16, 17, 18, 20, 21, 30, 32, 33.)
[15] Danny Dolev, Cynthia Dwork, and Moni Naor. Nonmalleable cryptography. SIAM Journal
on Computing, 30(2):391–437, 2000. (Cited on page 1, 4.)
[16] Taher ElGamal. A public key cryptosystem and a signature scheme based on discrete
logarithms. In G. R. Blakley and David Chaum, editors, CRYPTO’84, volume 196 of
LNCS, pages 10–18. Springer-Verlag, Berlin, Germany, August 1985. (Cited on page 16.)
[17] Rosario Gennaro and Victor Shoup. A note on an encryption scheme of Kurosawa and
Desmedt. Cryptology ePrint Archive, Report 2004/194, 2004. http://eprint.iacr.org/.
(Cited on page 2.)
[18] D. Hofheinz, J. Herranz, and E. Kiltz. The Kurosawa-Desmedt key encapsulation is not
chosen-ciphertext secure. Cryptology ePrint Archive, Report 2006/207, 2006. http://
eprint.iacr.org/. (Cited on page 2.)
[19] Antoine Joux and Kim Nguyen. Separating decision Diffie-Hellman from computational
Diffie-Hellman in cryptographic groups. Journal of Cryptology, 16(4):239–247, September
2003. (Cited on page 2, 3.)
27
28. [20] Jonathan Katz and Moti Yung. Unforgeable encryption and chosen ciphertext secure modes
of operation. In Bruce Schneier, editor, FSE 2000, volume 1978 of LNCS, pages 284–299.
Springer-Verlag, Berlin, Germany, April 2000. (Cited on page 33.)
[21] E. Kiltz. Chosen-ciphertext secure key-encapsulation based on Gap Hashed Diffie-Hellman.
In Proceedings of PKC 2007, volume 4450 of LNCS, pages 282 – 297, 2007. http://eprint.
iacr.org/2007/036. (Cited on page 3, 4, 17, 18.)
[22] Eike Kiltz. Chosen-ciphertext security from tag-based encryption. In Shai Halevi and Tal
Rabin, editors, TCC 2006, volume 3876 of LNCS, pages 581–600. Springer-Verlag, Berlin,
Germany, March 2006. (Cited on page 2, 4, 17.)
[23] Eike Kiltz. On the limitations of the spread of an IBE-to-PKE transformation. In Moti
Yung, Yevgeniy Dodis, Aggelos Kiayias, and Tal Malkin, editors, PKC 2006, volume 3958
of LNCS, pages 274–289. Springer-Verlag, Berlin, Germany, April 2006. (Cited on page 2,
17.)
[24] Kaoru Kurosawa and Yvo Desmedt. A new paradigm of hybrid encryption scheme. In
Matthew Franklin, editor, CRYPTO 2004, volume 3152 of LNCS, pages 426–442. Springer-
Verlag, Berlin, Germany, August 2004. (Cited on page 2, 3, 11, 16, 19, 20, 21, 24.)
[25] Moni Naor and Moti Yung. Universal one-way hash functions and their cryptographic
applications. In 21st ACM STOC, pages 33–43. ACM Press, May 1989. (Cited on page 11,
17.)
[26] Digital signature standard, fips publication 186-3. National Institute of Standards and
Technology, NIST FIPS PUB 186-3, U.S. Department of Commerce, March 2006. (Cited
on page 30.)
[27] Pascal Paillier. Public-key cryptosystems based on composite degree residuosity classes. In
Jacques Stern, editor, EUROCRYPT’99, volume 1592 of LNCS, pages 223–238. Springer-
Verlag, Berlin, Germany, May 1999. (Cited on page 25.)
[28] Duong Hieu Phan and David Pointcheval. About the security of ciphers (semantic security
and pseudo-random permutations). In Helena Handschuh and Anwar Hasan, editors, SAC
2004, volume 3357 of LNCS, pages 182–197. Springer-Verlag, Berlin, Germany, August
2004. (Cited on page 33.)
[29] Le Trieu Phong and Wakaha Ogata. On a variation of Kurosawa-Desmedt encryption
scheme. Cryptology ePrint Archive, Report 2006/031, 2006. http://eprint.iacr.org/.
(Cited on page 3, 17.)
[30] Charles Rackoff and Daniel R. Simon. Non-interactive zero-knowledge proof of knowledge
and chosen ciphertext attack. In Joan Feigenbaum, editor, CRYPTO’91, volume 576 of
LNCS, pages 433–444. Springer-Verlag, Berlin, Germany, August 1992. (Cited on page 1,
4.)
[31] Phillip Rogaway, Mihir Bellare, John Black, and Ted Krovetz. OCB: A block-cipher mode
of operation for efficient authenticated encryption. In ACM CCS 01, pages 196–205. ACM
Press, November 2001. (Cited on page 2, 11.)
28
29. [32] Phillip Rogaway and Thomas Shrimpton. A provable-security treatment of the key-wrap
problem. In Serge Vaudenay, editor, EUROCRYPT 2006, volume 4004 of LNCS, pages
373–390. Springer-Verlag, Berlin, Germany, May / June 2006. (Cited on page 5.)
[33] John Rompel. One-way functions are necessary and sufficient for secure signatures. In 22nd
ACM STOC, pages 387–394. ACM Press, May 1990. (Cited on page 17.)
[34] Hovav Shacham. A cramer-shoup encryption scheme from the linear assumption and from
progressively weaker linear variants. Cryptology ePrint Archive, Report 2007/074, 2007.
http://eprint.iacr.org/. (Cited on page 4.)
[35] Victor Shoup. Lower bounds for discrete logarithms and related problems. In Walter Fumy,
editor, EUROCRYPT’97, volume 1233 of LNCS, pages 256–266. Springer-Verlag, Berlin,
Germany, May 1997. (Cited on page 3, 18.)
[36] Victor Shoup. Using hash functions as a hedge against chosen ciphertext attack. In Bart
Preneel, editor, EUROCRYPT 2000, volume 1807 of LNCS, pages 275–288. Springer-Verlag,
Berlin, Germany, May 2000. (Cited on page 1.)
[37] G. S. Vernam. Cipher printing telegraph systems for secret wire and radio telegraphic
communications. Journal of the American Institute of Electrical Engineers, 45:109–115,
1926. (Cited on page 33.)
[38] Xiaoyun Wang and Hongbo Yu. How to break MD5 and other hash functions. In Ronald
Cramer, editor, EUROCRYPT 2005, volume 3494 of LNCS, pages 19–35. Springer-Verlag,
Berlin, Germany, May 2005. (Cited on page 17.)
[39] Xiaoyun Wang, Hongbo Yu, and Yiqun Lisa Yin. Efficient collision search attacks on SHA-0.
In Victor Shoup, editor, CRYPTO 2005, volume 3621 of LNCS, pages 1–16. Springer-Verlag,
Berlin, Germany, August 2005. (Cited on page 17.)
[40] Mark N. Wegman and Larry Carter. New hash functions and their use in authentication
and set equality. Journal of Computer and System Sciences, 22:265–279, 1981. (Cited on
page 32.)
A An implicit-rejection variant of the dual KD scheme
We sketch a variant of our dual KD scheme from Section 4, where decapsulation is modified such
that inconsistent ciphertexts get only implicitly rejected. Both variants have the same security
properties as the dual KD scheme. We remark that it is also possible to give the same variant
for the schemes based on the class of n-Linear assumptions from Section 5.
Let GS be a group scheme where GRk specifies (ˆG, G, g, p). We furthermore assume that GRk
contains a second random generator h ∈ G. Let TCR : G → Zp be a target collision resistant
hash function (for simplicity we assume TCR to be non-keyed). We build a key encapsulation
mechanism KEM = (KEM.kg, KEM.Enc, KEM.Dec) with K = G as follows.
KEM.Kg(1k)
x1, x2, y2
$
← Z∗
p
u ← g−x1/y2 ; v ← g−y1/y2 h1/y2
pk ← (u, v) ∈ G2
sk ← (x1, x2, y2) ∈ (Zp)3
Return (sk, pk)
KEM.Enc(pk)
r
$
← Z∗
p ; c ← gr
t ← TCR(c) ; π ← (utv)r
C ← (c, π) ∈ G2
K ← hr ∈ G
Return (C, K)
KEM.Dec(sk, C)
Parse C as (c, π) ∈ ˆG × ˆG
if c ∈ G or π ∈ G return ⊥
t ← TCR(c)
Return K ← cx1t+y1 · πy2
29
30. Note that decryption has to ensure that both elements c, π are contained in G, whereas the
explicit rejction scheme only has to check if c is contained in G. Further, the two generators g, h
can be viewed as fixed over a multi-user PKI environment. That means that g, h can be put in
the general system parameters and only u, v have to be distinct for each user.
Correctness can be verified as follows. Without loss of generality, assume (utv) = 1.
Let ω = logg h. For an arbitrary ciphertext (c, π) we have c = gr1 and π = (utv)r2 =
(g(−x1/y2)t−y1/y2 h1/y2 )r2 = g
r2·
−(x1t+y1)+ω
y2 , where r1 = r2 iff the ciphertext was correctly gen-
erated. Decapsulation computes K as
K = cx1t+y1
· πy2
= gr1(x1t+y1)+r2(−(x1t+y1)+ω)
= hr2
· g(r1−r2)(x1t+y1)
.
In case the ciphertext is consistent this reconstructs the correct key. In case the ciphertext is
not consistent, decapsulation yields one uniform key K. However, in the IND-CCCA game it
will be hard for an adversary to provide sufficient information (in form of a predicate) about K.
Hence, informally speaking, inconsistent decapsulation queries are not useful.
A.1 Multi-user setting
The specific structure of the implicit-rejection KEM makes it possible to share the public el-
ements g and h among many parties since decryption does not depend on the knowledge of
ω = logg(h) anymore. Hence, similar to the Cramer-Shoup scheme, this implicit-rejection scheme
can be used in the setting of multi-recipient encryption [3], where one single message is being
simultaneously sent to a set of n different recipients.
Here the global system parameters consist of the two group elements g, h and the individual
public key of the ith recipient only consists of the two group elements (ui, vi). To encrypt a
message to n different recipient, the encapsulated symmetric key K = hr and the first element
of the ciphertext c = gr can be shared among all recipients. Hence the multi-receiver ciphertext
consists of c = gr, the symmetric part DEM.EncK(M) and the individual parts πi = (ut
ivi)r, for
i ∈ {1, . . . , n}. Compared to the naive solution (applying n-times the hybrid encryption scheme)
this saves n − 1 times the symmetric part (each contains m + k bits) plus n group elements.
B A hash-free variant of the dual KD scheme
Following [14] we give a hash-free variant KEM = (KEM.Kg, KEM.Enc, KEM.Dec) which can
be used in case the dual KD KEM has to be implemented in groups where there is no efficient
bijection TCR∗
: G → Zp known. The hash-free variant basically implements an injective
encoding CHOP : ˆG → Zp for a sufficiently large ≥ 1. In principle, such encodings always
exist, since we can, similar to [14, 10], always write down the p-adic representation of any
encoding of element c ∈ ˆG. E.g., in case ˆG = Zq and G ⊆ Zq has prime-order p, one would
have = logp(q ) = |q |/|p| . For all practical choices of p and q we have q ≤ p2 (for example,
all NIST recommended elliptic curves [26]) and hence ≤ 2. Hence, CHOP can be implemented
using “mod p” operations at negliglible cost (compared to one exponentiation).
30
31. KEM.Kg(1k)
ω
$
← Z∗
p ; h ← gω
∀i ∈ {1, . . . } : ui
$
← gxi
pk ← (u1, . . . , u , h) ∈ G +1
sk ← (x1, . . . , x , ω) ∈ (Zp) +1
Return (sk, pk)
KEM.Enc(pk)
r
$
← Z∗
p ; c ← gr
(t1, . . . , t ) ← CHOP(c)
π ← ( i=1 uti
i )r
C ← (c, π) ∈ G2
K ← hr ∈ G
Return (C, K)
KEM.Dec(sk, C)
Parse C as (c, π) ∈ ˆG × ˆG
if c ∈ G return ⊥
(t1, . . . , t ) ← CHOP(c)
if c
P
i=1 xiti = π return ⊥
Return K ← cω
Encryption takes +3 exponentiations, where the generation of π can again be viewed as a single
multi-exponentiation (as long as is a small constant). Decryption takes two exponentiations
which can be viewed as one sequential exponentiation. Public-key contains + 2 elements in G,
secret-key + 2 element in Zp. Again, for most practical group schemes, = 2.
Comparison with Kurosawa-Desmedt. A corresponding hash-free variant of the Kurosawa-
Desmedt scheme has key sizes |pk| = +2, |sk| = 2 , where = 2|q |/|p| (due to the fact that
CHOP has to map two group elements to Zp ). Encryption has +3 exponentiations, decryption
three. Assuming q ≤ p2 we get ≤ 4.
C Target collision resistant hashing
In the description of the schemes, the target collision resistent hash function TCR maps elements
from G to Zp. However, G is a subgroup of ˆG and hence elements from G are usually represented
as elements from ˆG. Hence, what we need is a TCR function TCR : ˆG → Zp that is target
collision-resistant on G ⊆ ˆG.
In this section we show that for many interesting group schemes GS we can implement such
hash functions very efficiently by exploiting the fact that the order of G equals p, i.e. by giving
a function TCR∗
: ˆG → Zp that is a bijection on G.
As already pointed out in [10] we note that it is sufficient for our application that TCR∗
is
injective on an overwhelming fraction of G. In case we can efficiently find out if a given element
is “non-bijective” we define TCR+
as follows.
TCR+
(c1) =
⊥ : if there exists c1 = c1 with TCR∗
(c1) = TCR∗
(c1)
TCR∗
(c1) : otherwise
Our PKE schemes have to be adapted to handle the case that TCR+
(c1) outputs ⊥. For encryp-
tion, if TCR+
(c1) = ⊥, then the encryption algorithm starts from scratch with a fresh (random)
value c1 = gr
1. For decryption, all ciphertexts containing an element c1 with TCR+
(c1) = ⊥
simply get rejected.
Elliptic curves. An elliptic curve is defined by an equation of the form
y2
= x3
+ ax + b .
If the coordinates x and y are chosen from a large finite field F , the solutions form a finite abelian
group ˆG = E(F ) with O, the distinguished point at infinity, playing the role of multiplicative
identity. According to Hasse’s theorem the number of points on a curve is close to the size of
the underlying field; more precisely, (
√
− 1)2 ≤ |E(F )| ≤ (
√
+ 1)2. We consider the case
where E(F ) already has prime order and set G = ˆG = (F ). Then the mapping
TCR+
(x, y) =
⊥ : x ≥
x : otherwise
31
32. is a bijection on an overwhelming fraction of G [10]. We also remark that since ˆG = G, the
subgroup membership test becomes trivial.
Group of Quadratic Residues Modulo Safe Prime. Let ˆG = Zq for a safe prime q with
q = 2p + 1, where p is a prime. Let G be a group of nonzero quadratic residues modulo q . The
order of G equals p. Consider the following function
TCR∗
(x) =
x : if x ≤ p
q − x : otherwise.
It is shown in [14, Example 2] that function TCR∗
is a bijection. We remark that subgroup
membership tests can be efficiently implemented by evaluating the Jacobi symbol.
D Construction of authenticated encryption schemes
We recall the encrypt-then-mac approach [5, 14] for constructing authenticated symmetric en-
cryption.
D.1 Building blocks
Key Derivation Functions. A key-derivation function KDF for group scheme GS is a family
of functions KDFk : G → {0, 1}2k. We assume its output on a random input is computationally
indistinguishable from a random 2k-bit string (pseudorandomness), captured by defining the
kdf-pr-advantage of an adversary Bkdf as
Advkdf-pr
KDF ,Bkdf
(k) =
1
2
| Pr[Bkdf(KDF(K)) = 1] − Pr[Bkdf(X) = 1]|,
where K
$
← G and X
$
← {0, 1}2k.
Message Authentication Codes. A message authentication code MAC = (M.tag, M.vfy)
with keys mk ∈ {0, 1}k consists of a tag algorithm M.tag(mk, M) and a verification algorithm
M.vfy(mk, τ). For consistency we require that for all messages M, we have Pr[M.vfymk (M, M.tag(M)) =
⊥] = 1, where the probability is taken over the choice of coins of all the algorithms in the ex-
pression above.
MAC needs to be strongly unforgeable against one-time attacks (SUF-OT) captured by defin-
ing the suf-ot-advantage of an adversary Bmac as
Advsuf-ot
MAC,Bmac
(k) = Pr[M.vfy(mk, M∗
, τ∗
) = ⊥ : mk
$
← {0, 1}k
; (M∗
, τ∗
)
$
← BM.tag(mk,·)
mac (1k
)] .
Above, oracle M.tag(sk, ·) returns τ ← M.tag(mk, M) and A may only make one single query to
oracle M.tag(mk, ·). The target pair (M∗, τ∗) must be different from the pair (M, τ) obtained
from M.tag(mk, ·) (strong unforgeability).
We remark that efficient MACs satisfying the above definition can be constructed without
any computational assumption (and secure against unbounded adversaries) using, e.g., almost
strongly-universal hash families [40].
One-time secure symmetric encryption. Symmetric encryption S = (S.Enc, S.Dec) with
keyspace {0, 1}k and message space {0, 1}m(k) is specified by its deterministic encryption algo-
rithm S.Enc and decryption algorithm S.Dec. The scheme needs to be IND-OT captured by
defining the ind-ot-advantage Advind-ot
S,Bs
(k) of an adversary Bs as
Advind-ot
S,Bs
(k) = Pr[b = b : dk
$
← {0, 1}k
; b
$
← {0, 1} ; b
$
← BLoRb(·,·)
s (1k
)] −
1
2
32
33. Above, LoRb(M0, M1) returns ψ ← S.Enc(dk, Mb). Bs is allowed only one query to this left-
or-right encryption oracle, consisting of a pair of equal-length messages. One example of an
IND-OT secure symmetric encryption scheme is the one-time pad [37].
D.2 Construction of authenticated encryption
Let S = (S.Enc, S.Dec) be a symmetric encryption that inputs keys from {0, 1}k (such as AES),
let KDF a key-derivation function for group scheme GS that outputs bitstrings of length 2k, and
let MAC be a MAC scheme with keys mk ∈ {0, 1}k. Using the “Encrypt-then-MAC” paradigm
we can construct an algebraic AE = (AE.Enc, AE.Dec) that inputs keys K ∈ G as follows.
AE.Enc(K, M)
(mk||dk) ← KDF(K), where mk, dk ∈ {0, 1}k
ψ ← S.Enc(dk, M)
τ ← M.tag(mk, ψ )
Return ψ = (ψ , τ)
AE.Dec(K, ψ = (ψ , τ))
(mk||dk) ← KDF(K)
If M.vfy(mk, τ) = ⊥ return ⊥
M ← S.Dec(dk, ψ )
Return M
Typically, a MAC tag (from a computationally secure MAC) has k bits, so the above construction
generates ciphertexts of size d(k) = |M| + k. The following lemma [14, 20, 5] guarantees the
AE scheme is one-time secure.
Lemma D.1 Assume S is IND-OT, KDF is pseudorandom, and MAC is SUF-OT. Then AE
is AE-OT. In particlar, we have
Advae-ot
AE,t (k) ≤ Advind-ot
S,t (k) + Advkdf-pr
KDF ,t(k) + Advsuf-ot
MAC,t(k) .
Intuitively, the MAC ensures the ciphertext integrity and the encrypt-then-mac paradigm ensure
that one-time security is preserved.
We remark that for authenticated encryption is a strictly stronger security notion than
chosen-ciphertext security (using a separation example from [5]), whereas the latter is already
sufficient for the KEM/DEM composition theorem [14] (i.e., a IND-CCA secure KEM plus
chosen-ciphertext secure symmetric encryption implies IND-CCA secure PKE). On the other
hand, there exists redundancy-free chosen-ciphertext secure symmetric encryption [28] (with
d(k) = |M|) whereas redundancy-free authenticated encryption do not exist.
33